Unified Threat Management

Advanced Firewall – Administrator’s Guide

Smoothwall® Advanced Firewall, Administrator’s Guide, December 2013
Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other
guides delivered with earlier versions of Advanced Firewall.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of Smoothwall.
For more information, contact: docs@smoothwall.net
© 2001 – 2013 Smoothwall Ltd. All rights reserved.
Trademark notice
Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd.
Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC.
DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95,
Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered
trademark of Netscape Communications Corporation in the United States and other countries. Apple and
Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation.
Core is a trademark of Intel Corporation.
All other products, services, companies, events and publications mentioned in this document, associated
documents and in Smoothwall software may be trademarks, registered trademarks or service marks of
their respective owners in the UK, US and/or other countries.
Acknowledgements
Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team:
Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley,
Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan
Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S.
Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves
Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul
Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez
Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc
Wormgoor.
Advanced Firewall contains graphics taken from the Open Icon Library project http://
openiconlibrary.sourceforge.net/
Address

Smoothwall Limited
1 John Charles Way
Leeds. LS12 6QA
United Kingdom

Email

info@smoothwall.net

Web

www.smoothwall.net

Telephone

USA and Canada:
United Kingdom:
All other countries:

1 800 959 3760
0870 1 999 500
+44 870 1 999 500

Fax

USA and Canada:
United Kingdom:
All other countries:

1 888 899 9164
0870 1 991 399
+44 870 1 991 399

Contents
Chapter 1

Introduction .................................................... 1
Overview of Advanced Firewall ....................................................... 1
Who should read this guide? ........................................................... 1
Other User Information..................................................................... 1
Annual Renewal................................................................................. 2

Chapter 2

Advanced Firewall Overview......................... 3
Accessing Advanced Firewall .......................................................... 3
Dashboard ......................................................................................... 4
Logs and reports ............................................................................... 5
Reports............................................................................................... 5
Alerts .................................................................................................. 5
Realtime ............................................................................................. 5
Logs.................................................................................................... 6
Settings .............................................................................................. 6
Networking ........................................................................................ 7
Filtering .............................................................................................. 7
Routing............................................................................................... 7
Interfaces ........................................................................................... 7
Firewall............................................................................................... 8
Outgoing ............................................................................................ 8
Settings .............................................................................................. 8
Services.............................................................................................. 9
Authentication ................................................................................... 9
User Portal......................................................................................... 9
Proxies .............................................................................................. 9
SNMP................................................................................................ 11
DNS................................................................................................... 11
Message Censor ............................................................................. 11
Intrusion System ............................................................................. 11
DHCP................................................................................................ 12
System ............................................................................................. 13
Maintenance .................................................................................... 13
Central Management ...................................................................... 13
Preferences ..................................................................................... 13
Administration ................................................................................. 14
Hardware ......................................................................................... 14
Diagnostics ...................................................................................... 14
Certificates ...................................................................................... 14
VPN................................................................................................... 15
Configuration Guidelines................................................................ 15
Specifying Networks, Hosts and Ports ......................................... 15
Using Comments............................................................................. 16

i

Contents

Creating, Editing and Removing Rules ......................................... 16
Connecting via the Console ........................................................... 17
Connecting Using a Client ............................................................. 17
Secure Communication .................................................................. 18
Unknown Entity Warning ................................................................ 18
Inconsistent Site Address .............................................................. 18

Chapter 3

Working with Interfaces .............................. 19
Configuring Global Settings for Interfaces ................................... 19
Connecting Using an Internet Connectivity Profile ..................... 20
Connecting Using a Static Ethernet Connectivity Profile ........... 20
Connecting using a DHCP Ethernet Connectivity Profile ........... 22
Connecting using a PPP over Ethernet Connectivity Profile ...... 23
Connecting using a PPTP over Ethernet Connectivity Profile .... 25
Connecting using an ADSL/DSL Modem Connectivity Profile ... 27
Connecting using an ISDN Modem Connectivity Profile............. 28
Connecting Using a Dial-up Modem Connectivity Profile........... 30
Creating a PPP Profile .................................................................... 31
Modifying Profiles ........................................................................... 33
Deleting Profiles .............................................................................. 33
Working with Bridges ..................................................................... 33
Creating Bridges ............................................................................. 33
Editing Bridges ................................................................................ 34
Deleting Bridges.............................................................................. 34
Working with Bonded Interfaces ................................................... 34
Creating Bonds ............................................................................... 34
Editing Bonds .................................................................................. 35
Deleting Bonds ................................................................................ 35
Configuring IP Addresses .............................................................. 35
Adding an IP Address ..................................................................... 35
Editing an IP Address ..................................................................... 35
Deleting an IP Address ................................................................... 36
Virtual LANs ..................................................................................... 36
Creating a VLAN.............................................................................. 36
Editing a VLAN................................................................................. 37
Deleting a VLAN .............................................................................. 37

Chapter 4

Managing Your Network Infrastructure..... 39
Creating Subnets ............................................................................ 39
Editing and Removing Subnet Rules............................................. 40
Using RIP ......................................................................................... 40
Sources ............................................................................................ 42
Creating Source Rules.................................................................... 42
Removing a Rule ............................................................................. 43
Editing a Rule .................................................................................. 43
About IP Address Definitions ......................................................... 43
Ports ................................................................................................. 43
Creating a Ports Rule ..................................................................... 44
Creating an External Alias Rule ..................................................... 45
Editing and Removing External Alias Rules ................................. 45
Port Forwards from External Aliases ............................................ 46

ii

Smoothwall Advanced Firewall
Administrator’s Guide

Creating a Source Mapping Rule .................................................. 46
Editing and Removing Source Mapping Rules............................. 47
Managing Internal Aliases.............................................................. 47
Creating an Internal Alias Rule ...................................................... 47
Editing and Removing Internal Alias Rules................................... 48
Working with Secondary External Interfaces ............................... 48
Configuring a Secondary External Interface ................................ 48

Chapter 5

General Network Security Settings ............ 51
Blocking by IP.................................................................................. 51
Creating IP Blocking Rules ............................................................ 51
Editing and Removing IP Block Rules........................................... 52
Configuring Advanced Networking Features ............................... 52
Working with Port Groups.............................................................. 55
Creating a Port Group .................................................................... 56
Adding Ports to Existing Port Groups ........................................... 56
Editing Port Groups ........................................................................ 57
Deleting a Port Group ..................................................................... 57

Chapter 6

Configuring Inter-Zone Security................. 59
About Zone Bridging Rules ............................................................ 59
Creating a Zone Bridging Rule ...................................................... 59
Editing and Removing Zone Bridge Rules.................................... 61
A Zone Bridging Tutorial ................................................................ 61
Creating the Zone Bridging Rule ................................................... 61
Allowing Access to the Web Server .............................................. 62
Accessing a Database on the Protected Network....................... 62
Group Bridging ................................................................................ 63
Group Bridging and Authentication............................................... 63
Creating Group Bridging Rules...................................................... 63
Editing and Removing Group Bridges........................................... 65

Chapter 7

Managing Inbound and Outbound Traffic.. 67
Introduction to Port Forwards – Inbound Security ...................... 67
Port Forward Rules Criteria ........................................................... 67
Creating Port Forward Rules ......................................................... 68
Load Balancing Port Forwarded Traffic........................................ 69
Editing and Removing Port Forward Rules .................................. 69
Advanced Network and Firewall Settings..................................... 69
Network Application Helpers ......................................................... 70
Managing Bad External Traffic ...................................................... 71
Configuring Reflective Port Forwards .......................................... 71
Managing Connectivity Failback ................................................... 71
Managing Outbound Traffic and Services .................................... 72
Working with Port Rules................................................................. 72
Working with Outbound Access Policies...................................... 76
Managing External Services .......................................................... 78

Chapter 8

Advanced Firewall Services ........................ 81
Working with Portals ...................................................................... 81
Creating a Portal ............................................................................. 81
iii

Contents

Configuring a Portal........................................................................ 83
Accessing Portals ........................................................................... 86
Editing Portals ................................................................................. 86
Deleting Portals............................................................................... 86
Managing the Web Proxy Service.................................................. 87
Configuring and Enabling the Web Proxy Service ....................... 88
About Web Proxy Methods ............................................................ 91
Configuring End-user Browsers .................................................... 92
Instant Messenger Proxying .......................................................... 93
Monitoring SSL-encrypted Chats .................................................. 96
SIP Proxying .................................................................................... 96
Types of SIP Proxy .......................................................................... 96
Choosing the Type of SIP Proxying............................................... 97
Configuring SIP ............................................................................... 97
FTP Proxying ................................................................................... 99
Configuring non-Transparent FTP Proxying ................................ 99
Configuring Transparent FTP Proxying ...................................... 100
Reverse Proxy Service.................................................................. 102
Configuring the Reverse Proxy Service ...................................... 103
SNMP.............................................................................................. 104
DNS................................................................................................. 105
Adding Static DNS Hosts ............................................................. 105
Enabling the DNS Proxy Service.................................................. 106
Managing Dynamic DNS............................................................... 107
Censoring Message Content ....................................................... 109
Configuration Overview................................................................ 109
Managing Custom Categories ..................................................... 109
Setting Time Periods .................................................................... 110
Creating Filters.............................................................................. 111
Creating and Applying Message Censor Policies...................... 113
Editing Polices............................................................................... 114
Deleting Policies ........................................................................... 114
Managing the Intrusion System................................................... 114
About the Default Policies............................................................ 114
Deploying Intrusion Detection Policies....................................... 114
Deploying Intrusion Prevention Policies ..................................... 115
Creating Custom Policies............................................................. 117
Uploading Custom Signatures..................................................... 118
DHCP.............................................................................................. 119
Enabling DHCP.............................................................................. 120
Creating a DHCP Subnet.............................................................. 120
Editing a DHCP subnet ................................................................. 123
Deleting a DHCP subnet............................................................... 123
Adding a Dynamic Range ............................................................. 123
Adding a Static Assignment......................................................... 123
Adding a Static Assignment from the ARP Table ...................... 124
Editing and Removing Assignments ........................................... 124
Viewing DHCP Leases .................................................................. 124
DHCP Relaying .............................................................................. 125
Creating Custom DHCP Options ................................................. 125

iv

Smoothwall Advanced Firewall
Administrator’s Guide

Chapter 9

Virtual Private Networking ........................ 127
Advanced Firewall VPN Features ................................................ 127
What is a VPN? .............................................................................. 127
About VPN Gateways.................................................................... 128
Administrator Responsibilities..................................................... 128
About VPN Authentication............................................................ 128
PSK Authentication....................................................................... 129
X509 Authentication...................................................................... 129
Configuration Overview................................................................ 130
Working with Certificate Authorities and Certificates............... 131
Creating a CA ................................................................................ 131
Exporting the CA Certificate ........................................................ 132
Importing Another CA's Certificate ............................................. 133
Deleting the Local Certificate Authority and its Certificate ...... 133
Deleting an Imported CA Certificate ........................................... 134
Managing Certificates .................................................................. 134
Creating a Certificate ................................................................... 134
Reviewing a Certificate ................................................................ 135
Exporting Certificates................................................................... 135
Exporting in the PKCS#12 Format............................................... 136
Importing a Certificate.................................................................. 136
Deleting a Certificate .................................................................... 137
Setting the Default Local Certificate ........................................... 137
Site-to-Site VPNs – IPSec............................................................. 138
Recommended Settings ............................................................... 138
Creating an IPsec Tunnel ............................................................. 139
IPSec Site to Site and X509 Authentication – Example ............. 144
Prerequisite Overview .................................................................. 144
Creating the Tunnel on the Primary System............................... 144
Creating the Tunnel on the Secondary System.......................... 145
Checking the System is Active .................................................... 147
Activating the IPSec tunnel .......................................................... 147
IPSec Site to Site and PSK Authentication................................. 147
Creating the Tunnel Specification on Primary System.............. 147
Creating the Tunnel Specification on the Secondary System .. 148
Checking the System is Active .................................................... 149
Activating the PSK tunnel............................................................. 149
About Road Warrior VPNs............................................................ 150
Configuration Overview................................................................ 150
IPSec Road Warriors .................................................................... 151
Creating an IPSec Road Warrior ................................................. 151
Supported IPSec Clients .............................................................. 154
Creating L2TP Road Warrior Connections ................................. 154
Creating a Certificate ................................................................... 154
Configuring L2TP and SSL VPN Global Settings........................ 154
Creating an L2TP Tunnel .............................................................. 155
Configuring an iPhone-compatible Tunnel................................. 156
Using NAT-Traversal..................................................................... 157
VPNing Using L2TP Clients .......................................................... 157
L2TP Client Prerequisites............................................................. 157

v

................................ 173 VPNs between Business Partners ................................................................... 204 vi .. 165 Configuring SSL VPN on Internal Networks ....................................................... 162 Managing SSL Road Warriors...................... 191 Chapter 10 Authentication and User Management .............. 203 Reordering Directory Servers .... 177 VPN Logging ....................................................... 204 Diagnosing Directories ................................................................................................................ 173 Extended Site to Site Routing .............................. 175 Automatically Starting the VPN System.................................................................................. 163 Managing Group Access to SSL VPNs .............................................................................................. 195 Configuring an LDAP Connection ................................ 193 About Directory Servers ....................................................................................... 182 Example 4: IPSec Road Warrior Connection.................................................. 169 Secure Internal Networking ......................................................................................... 166 VPN Zone Bridging................................................................................................................................................................ 165 Configuring and Connecting Clients ................................................ 195 Configuring a Microsoft Active Directory Connection ............................... 178 Example 1: Preshared Key Authentication ................................... 180 Example 3: Two Tunnels and Certificate Authentication ............................................................ 187 Using the Security Policy Template SoftRemote .......... 186 Working with SafeNet SoftRemote ........................................ 183 Example 5: L2TP Road Warrior........................... 187 Configuring IPSec Road Warriors ............................................................................................................................................................................................ 157 Installing an L2TP Client......................... 171 Creating Multiple Local Certificates........... 194 Configuring Directories ............................... 193 Configuring Global Authentication Settings .................................... 176 Viewing and Controlling Tunnels....................... 204 Deleting a Directory Server .................................................................................................. 199 Configuring an Active Directory Connection – Legacy Method 200 Configuring a Local Users Directory................................ 171 Multiple Local Certificates ..... 162 Configuring VPN with SSL..................... 158 VPNing with SSL............................................................... 172 Configuring Both Ends of a Tunnel as CAs ......... 176 Manually Controlling the VPN System ................................................... 178 VPN Tutorials............... 164 Generating SSL VPN Archives ................................................ 163 Managing Custom Client Scripts for SSL VPNs............................................................................................ 178 Example 2: X509 Authentication ................................................................................................................ 174 Managing VPN Systems ........................ 162 Prerequisites ...........................................Contents Connecting Using Windows XP/2000................. 169 Advanced VPN Configuration .......................... 171 Public Key Authentication .............................. 188 Creating a Connection without the Policy File..................................... 189 Advanced Configuration........................................ 196 Configuring a RADIUS Connection ................................................ 169 Creating an Internal L2TP VPN .... 203 Editing a Directory Server .............

............................................................................... 223 Managing Log Retention ..... 219 Accessing Reporting .. 227 vii ................ 208 Logging Users Out ................................................................ 208 Viewing User Activity ................................................................................................. 219 Generating Reports......................................................................................................... 213 Pre-requisites ............................................................................... 204 Editing Local Users......................... 211 Creating SSL Login Exceptions ................................................................................... 220 Saving Reports . 220 Changing Report Formats....... 206 Creating a Temporary Ban .............................. 205 Mapping Groups.................................................................. 221 Report Permissions .......................... 208 About SSL Authentication .................. 214 Configuring Access Points.................................................................................................................................................... 222 Making Reports Available on Portals................. 207 Removing Expired Bans .......... 204 Adding Users ........................................................... 214 Configuring WPA Enterprise ................................................. 209 Customizing the SSL Login Page ...................................................... 222 Scheduling Reports ................ 220 Canceling a Report ..................... 216 Adding Groups ........................................................................... 216 About Groups ....................................... 213 Using WPA Enterprise ........................................................................... 216 Editing Groups............................................................................................................... 227 About the Dashboard............................. 209 Reviewing SSL Login Pages ... 215 Provisioning the Advanced Firewall Certificate .............................................. 206 Removing Temporary Bans............................................................................................ 220 About Recent and Saved Reports .................................................................................................................. 211 Managing Kerberos Keytabs ................................................................................. 205 Deleting Users .............................................................................................................................................................................. 212 Adding Keytabs ................................................................ 206 Managing Temporarily Banned Users.................................................................................................................................... Alerts and Logging................................... 215 Managing Groups of Users ............................................................................................................. 219 About the Summary Page ............................. 227 About the About Page ................... 217 Deleting Groups ..................... 217 Chapter 11 Reporting ................... 206 Deleting Group Mappings ............................ 207 Managing User Activity ................................................................................................................................................................. 212 Managing Keytabs ...................................................................................... 220 Managing Reports and Folders ............................................................................................................................. 208 Banning Users .................. 210 Configuring SSL Login.................................. 224 Chapter 12 Information..................................................................................................................................................................................................................................Smoothwall Advanced Firewall Administrator’s Guide Managing Local Users........................................................... 205 Remapping Groups ......................

................... 253 Configuring Groups ......................................................................... 260 Managing Modules ..................................... 262 Archives .................................................................................... 235 Realtime Portal Information ................ 256 About Placeholder Tags .............. 230 Configuring Alert Settings.......................................................................... 238 System Logs ................................................................................................................................ 262 About Archive Profiles ........... 259 Installing Updates .............................................................................................. 247 IM Proxy Logs............................. 261 Removing a Module ................................................................... 237 Logs............................................................................................................ 229 Looking up an Alert by Its Reference........... 258 Chapter 13 Managing Your Advanced Firewall...................................Contents Alerts ............................................................ 256 Configuring Email to SMS Output .................................................................. 251 Configuring Other Log Settings........................ 246 IPS Logs .......................................................................................... 245 IDS Logs........................................................................ 236 Realtime Instant Messaging ...................................................... 255 About Email to SMS Output ....................................................... 263 Creating an Archive ....................................................... 234 Realtime IPsec Information......... 239 Firewall Logs . 257 Testing Email to SMS Output...... 257 Generating a Test Alert........................................................................... 249 User Portal Logs ............. 257 Output to Email ........... 249 Reverse Proxy Logs ........................................................................... 252 Managing Automatic Deletion of Logs ........................................... 233 Realtime System Information ............................................ 259 Installing Updates ............................................................................................................................................................................................................ 255 Deleting a Group ....... 254 Editing a Group ............................................................................................................... 251 Configuring Log Settings ............................................................................................. 233 Realtime Firewall Information........................................................................................................................................................................................................................ 254 Creating Groups..................... 241 IPSec Logs................................................................................................................................................................................................................................................................................... 255 Configuring Output Settings ........ 259 Installing Updates on a Failover System.............................. 237 Realtime Traffic Graphs ........................... 248 Web Proxy Logs ...... 243 Email Logs .......................................................................................................................................... 263 Downloading an Archive ....................................................................................................................................................................................................... 228 Enabling Alerts ............................................................................................................................ 263 viii ................................................................................................ 227 Available Alerts.................................................................................................. 262 Installing Licenses .......... 261 Licenses ............................................................................ 230 Realtime ........... 227 Overview .................................................................................................................................

................................ 284 Configuring Modems ........................................................................................................................................................................................ 288 Whois.......................................................................................................................................................... 272 Configuring Admin Access Options ..................................................................................................... 280 Configuring Hardware Failover........................................................ 292 Configuring Child Nodes ...................................................................... 275 Adding a Tenant ................................................... 268 Configuring the User Interface ....... 293 Adding Child Nodes to the System ..................................................................Smoothwall Advanced Firewall Administrator’s Guide Restoring an Archive ... 287 IP Tools ......................................................................................................................................................................................................................................... 288 Analyzing Network Traffic .......................................................................................................................................................................................... 269 Configuring Registration Options............................................................. 291 Pre-requirements ......... 276 Deleting a Tenant ............................... 290 Importing CA Certificates.............................................................................. 290 Exporting CA Certificates................................ 279 Prerequisites ...................... 286 Generating Diagnostics .... 283 Testing Failover.................................................................. 267 Shutting down and Rebooting ............................... 292 Configuring the Parent Node ..................................... 272 Configuring External Access .................. 267 Setting System Preferences ................................................................................................... 290 Reviewing CA Certificates ............ 284 Installing and Uploading Firmware................................................ 264 Deleting Archives ...... 279 How does it work? ................ 264 Scheduling ............................................................................................................ 286 Configuration Tests ... 273 Editing and Removing External Access Rules .......................................................................................................................................... 274 Administrative User Settings .......... 264 Scheduling Remote Archiving ............................................................................................................................................................ 266 Editing Schedules .......................................... 291 Setting up a Centrally Managed Smoothwall System ...................................................................................................... 268 Setting Time........................................ 290 Chapter 14 Centrally Managing Smoothwall Systems291 About Centrally Managing Smoothwall Systems....................................... 271 Configuring Administration and Access Settings .......................... 277 Managing Hardware Failover..................... 276 Hardware ............................................................................ 280 Administering Failover............... 272 Referral Checking ....................... 264 Uploading an Archive.............................................................................................. 276 Managing UPS Devices ................................................................................................................................. 286 Diagnostics ......... 289 Managing CA Certificates ...... 290 Deleting and Restoring Certificates .. 274 Managing Tenants .................................................................................................................................................................................................... 275 Editing a Tenant .......................... 270 Configuring the Hostname ............. 294 ix .................................................

......... 316 Exporting Options .............. 308 Example Report.......................................................................................................................... 302 A Common DNS Pitfall................................................................................... 297 Managing Nodes in a Smoothwall System ............................................................................................................ 315 Iterative Reporting ............. 303 Accounts and NTLM Identification.... 304 Connecting a Windows 7 System to a WPA-Enterprise/802.......................................................... Exporting and Drill Down Reporting ........ 301 Overview ................. 303 Active Directory.................... 314 Understanding Groups and Grouped Options ......................................... 317 x ......................................................................................................................................... 306 Appendix B Understanding Templates and Reports.......................................................................................................................... 298 Rebooting Nodes ............... Creation and Editing ................................................................................. 304 Troubleshooting ..................... 297 Monitoring Node Status .................... 299 Appendix A Authentication ......................................................................... 302 Working with Large Directories......Contents Editing Child Node Settings ..... 297 Accessing the Node Details Page ................................................................................ 305 Windows 7 802. 312 Creating Template Reports and Customizing Sections ....................... 310 Saving Reports ............................................................................................................................................................................................................ 307 Programmable Drill-Down Looping Engine................ 309 Changing Report Date Ranges ..................................................... 315 Grouping Sections ............................................................................. 310 Interpreted Results ....... 311 Changing the Report...................... 301 About Authentication Mechanisms ......... 308 Changing Report Formats........................................................ 311 Investigating Further (Drill down) ...............................................................................................................1X Profile Migration.............................................................................................................................. 309 Navigating HTML Reports ... 303 Active Directory Username Types................................................................................................. 313 Ordering Sections .................................................................... 301 Verifying User Identity Credentials............................................................. 314 Feed-Forward Reporting ............. 308 Report Templates........... 313 Grouped Sections .................................... 308 Viewing Reports....................................................... 316 Creating Feed-forward and Iterative Groups ...... 298 Working with Updates ............. 307 Example Report Template......................................... 315 Group Ordering .................... 302 About the Login Time-out ...................................................................... 296 Deleting Nodes in the System....... 302 Choosing an Authentication Mechanism................................................................................ 301 Other Authentication Mechanisms............................................................................................................................................................................................................. 304 About Kerberos .............................................................................................................. 304 Kerberos Pre-requisites and Limitations.. 299 Disabling Nodes .................. 302 Advanced Firewall and DNS............................1X Wireless Network ..............

............................................................................................................................................................................... 326 Origin Filtering........................................................................................................................................ 337 Glossary Index ... 321 Generators and Linkers .............................. 332 Appendix D Hosting Tutorials........................... 322 The Anatomy of a URL.................... 324 Guardian Status Filtering.................... 326 URL Extraction and Manipulation........................................................ 323 HTTP Request Methods and HTTPS Interception .......................................... 318 Creating a Folder ............................................................................................................ 331 Site-to-site Problems............................................................................. 331 L2TP Road Warrior Problems ................... 332 Enabling L2TP Debugging.............................................. 325 Filtering by Search Terms ......... 321 General Sections ....... 335 Extended Hosting Arrangement ................................................... 332 Windows Networking Issues.............................. 320 Scheduling Reports ........................................................................................................................................................................................................... 321 Reporting Sections ........................................... 349 xi ............................. 335 Basic Hosting Arrangement.................................................................................. 341 ...............................................Smoothwall Advanced Firewall Administrator’s Guide Reporting Folders ............... 320 Portal Permissions. 320 Deleting Folders .............................. 324 Search Terms and Search Phrases ............... 336 More Advanced Hosting Arrangement .................................................................................................................................................................................................................................... 320 Renaming Folders ....................................................................... 328 Appendix C Troubleshooting VPNs.................................................... 322 Network Interfaces ......................

Contents xii .

• VPN Gateway – site-to-site. For information on our current training courses. contact your Smoothwall representative. Who should read this guide? System administrators maintaining and deploying Advanced Firewall should read this guide. knowledge base and the latest product manuals. you can also find information at: • http://www. • Internal firewall – segregation of networks into physically separate zones with user-level access control of inter-zone traffic • Email Security: anti-spam.Chapter 1 Introduction In this chapter: • An overview of Advanced Firewall • Who should read this guide • User information. Novell eDirectory and other LDAP authentication servers • Load balancer – the ideal solution for the efficient and resilient use of multiple Internet connections. Advanced Firewall employs Microsoft Active Directory/ LDAP user authentication for policy based access control to local network zones and Internet services. Advanced Firewall provides: • Perimeter firewall – multiple Internet connections with load sharing and automatic connection failover • User authentication – policy-based access control and user authentication with support for Microsoft Active Directory. Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. secure remote access and site-to-site IPSec connectivity are provided by the integrated VPN gateway. anti-malware. Other User Information Apart from this guide. Overview of Advanced Firewall Advanced Firewall is the Unified Threat Management system for enterprise networks.smoothwall. secure remote access and secure wireless connections.net/support contains the Smoothwall support portal. 1 . Secure wireless. Combining the functions of perimeter and internal firewalls. mail relay and control.

Introduction Other User Information Annual Renewal To ensure that you have all the functionality documented in this guide. contact your Smoothwall representative. we recommend that you purchase annual renewal. 2 . For more information.

Accessing Advanced Firewall To access Advanced Firewall: 1 In a web browser.Chapter 2 Advanced Firewall Overview In this chapter: • How to access Advanced Firewall • An overview of the pages used to configure and manage Advanced Firewall. 3 .72. It is possible to use HTTP on port 81 if you are satisfied with less security. 3 Enter the following information: Field Information Username Enter admin This is the default Advanced Firewall administrator account.141:441 Note: The example address above uses HTTPS to ensure secure communication with your Advanced Firewall. 2 Accept Advanced Firewall’s certificate.168. for example: https://192. enter the address of your Advanced Firewall. Note: The following sections assume that you have registered and configured Advanced Firewall as described in the Advanced Firewall Installation and Setup Guide. Password Enter the password you specified for the admin account when installing Advanced Firewall.The login screen is displayed.

The Dashboard opens.Advanced Firewall Overview Dashboard 4 Click Login. Dashboard The dashboard is the default home page of your Advanced Firewall system. It displays service information and customizable summary reports. 4 . The following sections give an overview of Advanced Firewall’s default sections and pages.

see Chapter 12. see Appendix B. Alerts Pages Description Alerts Determine which alerts are sent to which groups of users and in what format. Realtime Firewall Information on page 234. Realtime Instant Messaging on page 237. For more information. see saved Chapter 11. Scheduled Sets which reports are automatically generated and delivered. Realtime Pages Description System A realtime view of the system log with some filtering options. Generating Reports on page 220. IPSec A realtime view of the IPSec log with some filtering options. see Chapter 12. For more information. see Chapter 12. For more information. see Chapter 11. For more information. Realtime Traffic Graphs on page 237. For more information. For more information. For more information. see Chapter 11. IM proxy A realtime view of recent instant messaging conversations. For more information. Portal A realtime view of activity on user portals. Realtime IPsec Information on page 235. Understanding Templates and Reports on page 307.Smoothwall Advanced Firewall Administrator’s Guide Logs and reports The Logs and reports section contains the following sub-sections and pages: Reports Pages Description Summary Displays a number of generated reports. Alert settings Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. Realtime Portal Information on page 236. For more information. Scheduling Reports on page 223. see Chapter 11. For more information. Realtime System Information on page 233. see Chapter 12. Configuring Alert Settings on page 230. Reports Where you generate and organize reports. see Chapter 12. About the Summary Page on page 219. For more information. see Chapter 12. Recent and Lists recently-generated and previously saved reports. For more information. Email Logs on page 245. see Chapter 12. Firewall A realtime view of the firewall log with some filtering options. see Chapter 12. 5 . see Chapter 12. Email Displays the email log viewer running in realtime mode. Saving Reports on page 220. For more information. For more information. Traffic graphs Displays a realtime bar graph of the bandwidth being used. Custom Enables you to create and view custom reports. Alerts on page 227.

recipient. an external syslog server. Firewall Displays all data packets that have been dropped or rejected by the firewall. Groups Where you create groups of users which can be configured to receive automated alerts and reports. see Chapter 12. Configuring Groups on page 254. For more information. For more information. subject and other email message information. Managing Log Retention on page 224. For more information. Configuring Output Settings on page 255. see Chapter 11. For more information. IPSec Displays diagnostic information for VPN tunnels. see Chapter 12. For more information. For more information. see Chapter 12. IPS Displays network traffic detected by the intrusion detection system (IPS). automated log deletion and rotation options. For more information. Firewall Logs on page 241. Web proxy Displays detailed analysis of web proxy usage. For more information. IPS Logs on page 247. For more information. see Chapter 12. Log settings Settings to configure the logs you want to keep. see Chapter 12. For more information. see Chapter 12. IM proxy Displays information on instant messaging conversations. System Logs on page 239. Email Logs on page 245. Settings 6 Pages Description Datastore settings Contains settings to manage the storing of log files. Reverse proxy Displays information on reverse proxy usage. Configuring Log Settings on page 251. IM Proxy Logs on page 248. see Chapter 12. see Chapter 12. see Chapter 12. Web Proxy Logs on page 249. For more information. Output settings Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. IPSec Logs on page 243. For more information. see Chapter 12. . see Chapter 12. IDS Logs on page 246. Reverse Proxy Logs on page 249. see Chapter 12. For more information. Email Displays sender.Advanced Firewall Overview Logs and reports Logs Pages Description System Simple logging information for the internal system services. IDS Displays network traffic detected by the intrusion detection system (IDS).

Managing Internal Aliases on page 47.Smoothwall Advanced Firewall Administrator’s Guide Networking The Networking section contains the following sub-sections and pages: Filtering Pages Description Zone bridging Used to define permissible communication between pairs of network zones. For more information. Creating IP Blocking Rules on page 51. Group Bridging on page 63. For more information. Creating an External Alias Rule on page 45. External aliases Used to create IP address aliases on static Ethernet external interfaces. Interfaces Pages Description Interfaces Configure and display information on your Advanced Firewall’s internal interfaces. Ports on page 43. Group bridging Used to define the network zones that are accessible to authenticated groups of users. Sources on page 42. Creating Subnets on page 39. IP block Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information. RIP Used to enable and configure the Routing Information Protocol (RIP) service on the system. Configuring Global Settings for Interfaces on page 19. For more information. Sources Used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. Connectivity Used to create external connection profiles and implement them. Ports Used to create rules to set the external interface based on the destination port. For more information. For more information. For more information. 7 . About Zone Bridging Rules on page 59. see Chapter 5. Routing Pages Description Subnets Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. thus enabling a single physical interface to route packets between IP addresses on a virtual subnet – without the need for physical switches. For more information. For more information. Using RIP on page 40. External aliases allow additional static IPs that have been provided by an ISP to be assigned to the same external interface. see Chapter 4. see Chapter 4. For more information. Connecting Using a Static Ethernet Connectivity Profile on page 20. see Chapter 4. see Chapter 6. see Chapter 4. see Chapter 4. see Chapter 6. see Chapter 3. see Chapter 3. Internal aliases Used to create aliases on internal network interfaces. For more information. see Chapter 4.

see Chapter 4.Advanced Firewall Overview Networking Pages Description PPP Used to create Point to Point Protocol (PPP) profiles that store PPP settings for external connections using dial-up modem devices. secondary external interface. Creating a PPP Profile on page 31. Advanced 8 Used to configure advanced network and traffic auditing parameters. see Chapter 7. . Ports Used to define lists of outbound destination ports and services that should be blocked or allowed. Working with Secondary External Interfaces on page 48 Firewall Pages Description Port forwarding Used to forward incoming connection requests to internal network hosts. see Chapter 3. Managing External Services on page 78. Managing Outbound Traffic and Services on page 72. see Chapter 7. Source mapping Used to map specific internal hosts or subnets to an external alias. Settings Pages Description Port groups Create and edit groups of ports for use throughout Advanced Firewall. see Chapter 5. For more information. Introduction to Port Forwards – Inbound Security on page 67. For more information. Working with Outbound Access Policies on page 76. Configuring Advanced Networking Features on page 52. see Chapter 7. see Chapter 4. For more information. see Chapter 7. For more information. Outgoing Pages Description Policies Used to assign outbound access controls to IP addresses and networks. External services Used to define a list of external services that should always be accessible to internal network hosts. For more information. For more information. Network Application Helpers on page 70. For more information. Working with Port Groups on page 55. For more information. see Chapter 5. Creating a Source Mapping Rule on page 46 Advanced Used to enable or disable NAT-ing helper modules and manage bad external traffic. see Chapter 7. For more information. Secondaries Used to configure an additional. For more information.

group membership and IP address details of recently authenticated users. For more information. User exceptions This page enables you to override group settings and assign a user directly to a portal. For more information. Kerberos keytabs This is where Kerberos keytabs are imported and managed. see Chapter 8. allowing controlled access to the Internet for local network hosts. Managing User Activity on page 208. see messenger Chapter 8. Working with Portals on page 81. 9 . SSL login Used to customize the end-user SSL login page and configure SSL login redirection and exceptions. About Directory Servers on page 194. For more information. see Chapter 10. Instant Messenger Proxying on page 93. Managing Temporarily Banned Users on page 206 User activity Displays the login times. see Chapter 8. For more information. Groups Used to customize group names. see Chapter 10. Making User Exceptions on page 85. Managing Groups of Users on page 216. see Chapter 8. see Chapter 10. Managing the Web Proxy Service on page 87. For more information. see Chapter 10. see Chapter 10. see Chapter 10. Proxies Pages Description Web proxy Used to configure and enable the web proxy service. Temporary bans Enables you to manage temporarily banned user accounts. Groups This page enables you to assign groups of users to portals. For more information. For more information. see Chapter 10. User Portal Pages Description Portals This page enables you to configure and manage user portals. About SSL Authentication on page 209. For more information. For more information.Smoothwall Advanced Firewall Administrator’s Guide Services The Services section contains the following sub-sections and pages: Authentication Pages Description Settings Used to set global login time settings. Managing Kerberos Keytabs on page 212. For more information. see Chapter 8. For more information. Assigning Groups to Portals on page 85. usernames. Configuring Global Authentication Settings on page 193. Instant Used to configure and enable instant messaging proxying. see Chapter 10. Using WPA Enterprise on page 213. Directories Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. WPA Enterprise Enables you to authenticate users with their own devices and allow them to connect to the network. For more information. For more information.

Reverse proxy The reverse proxy service enables you to control requests from the Internet and forward them to servers in an internal network. FTP Proxying on page 99. For more information. see Chapter 8. see Chapter 8. Reverse Proxy Service on page 102. For more information. . SIP Proxying on page 96. see Chapter 8.Advanced Firewall Overview Services 10 Pages Description SIP Used to configure and enable a proxy to manage Session Initiated Protocol (SIP) traffic. For more information. FTP Used to configure and enable a proxy to manage FTP traffic.

see Chapter 8. Managing Dynamic DNS on page 107. see Chapter 8. see Chapter 8. Uploading Custom Signatures on page 118. DNS Pages Description Static DNS Used to create a local hostname table for the purpose of mapping the hostnames of local network hosts to their IP addresses. For more information. see Chapter 8. For more information. Time This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information. Enabling the DNS Proxy Service on page 106 Dynamic DNS Used to configure access to third-party dynamic DNS service providers. Managing Custom Categories on page 109.Smoothwall Advanced Firewall Administrator’s Guide SNMP Pages Description SNMP Used to activate Advanced Firewall’s Simple Network Management Protocol (SNMP) agent. see Chapter 8. IDS Used to enable and configure policies to monitor network activity using the Intrusion Detection System (IDS). Policies Enables you to configure Advanced Firewall’s intrusion detection and prevention rules for inclusion in IDS and IPS policies. For more information. DNS proxy Used to provide a DNS proxy service for local network hosts. Deploying Intrusion Prevention Policies on page 115. 11 . Intrusion System Pages Description Signatures Enables you to deploy customized and automatic rules in the intrusion detection and intrusion prevention systems. Setting Time Periods on page 110. see Chapter 8. Filters This is where you create and manage filters for matching particular types of message content. For more information. Message Censor Pages Description Policies Enables you to create and manage filtering policies by assigning actions to matched content. Creating and Applying Message Censor Policies on page 113. SNMP on page 104. see Chapter 8. see Chapter 8. see Chapter 8. IPS Used to enable and configure policies to monitor network activity using the Intrusion Prevention System (IDS). For more information. Creating Custom Policies on page 117. For more information. Adding Static DNS Hosts on page 105. For more information. Deploying Intrusion Detection Policies on page 114. see Chapter 8. see Chapter 8. Creating Filters on page 111. For more information. For more information. Custom categories Enables you to create and manage custom content categories for inclusion in filters. see Chapter 8. For more information. For more information.

DHCP server Used to configure automatic dynamic and static IP leasing to DHCP requests received from network hosts. For more information. lease start and end time. . and the current lease state. DHCP leases Used to view all current DHCP leases.Advanced Firewall Overview Services DHCP Pages Description Global Used to enable the Dynamic Host Configuration Protocol (DHCP) service and set its mode of operation. see Chapter 8. For more information. Viewing DHCP Leases on page 124. For more information. and re-route DHCP responses back to the requesting host. Creating Custom DHCP Options on page 125. Enabling DHCP on page 120. For more information. including IP address. DHCP Relaying on page 125. see Chapter 8. Custom options 12 Used to create and edit custom DHCP options. see Chapter 8. Creating a DHCP Subnet on page 120. DHCP relay Used to configure the DHCP service to forward all DHCP requests to another DHCP server. For more information. see Chapter 8. MAC address. hostname. see Chapter 8.

Managing Nodes in a Smoothwall System on page 297. install and remove Advanced Firewall modules. For more information. see Chapter 13. For more information. Shutting down and Rebooting on page 267. see Chapter 14. Also. For more information. date and time settings. Configuring the Hostname on page 271. Licenses Used to display and update license information for the licensable components of the system. Setting up a Centrally Managed Smoothwall System on page 292. see Chapter 13. Local node This is where you configure a node to be a parent or child in a Smoothwall system settings and manage central management keys for use in the system. Scheduling on page 264. Preferences Pages Description User interface Used to manage Advanced Firewall’s dashboard settings. For more information. see Chapter 13. For more information. see Chapter 13. Configuring Child Nodes on page 293. see Chapter 14. For more information. Configuring the User Interface on page 268. see Chapter 13. view. Central Management Pages Description Overview This is where you monitor nodes and schedule updates in a Smoothwall system. Configuring Registration Options on page 270. see Chapter 13. Hostname Used to configure Advanced Firewall’s hostname. Archives on page 262. Setting Time on page 269.Smoothwall Advanced Firewall Administrator’s Guide System The System section contains the following sub-sections and pages: Maintenance Pages Description Updates Used to display and install available product updates. Installing Updates on page 259. Modules Used to upload. Child nodes This is where you add and configure nodes in a Smoothwall system. For more information. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. 13 . For more information. Scheduler Used to automatically discover new system updates. Managing Modules on page 261. For more information. check. Registration options Used to configure a web proxy if your ISP requires you use one. For more information. see Chapter 13. For more information. in addition to listing currently installed updates. see Chapter 13. For more information. modules and licenses. Archives Used to create and restore archives of system configuration information. Licenses on page 262. For more information. see Chapter 14. Shutdown Used to shutdown or reboot the system. enables you configure sending extended registration information to Smoothwall. Time Used to manage Advanced Firewall’s time zone. see Chapter 13. see Chapter 13.

Configuring External Access on page 273. Administrative users Used to manage user accounts and set or edit user passwords on the system. see Chapter 13. see Chapter 13. see Chapter 13. typically used when creating external dial-up connections. For more information. see Chapter 13.Advanced Firewall Overview System Administration Pages Description Admin options Used to enable secure access to Advanced Firewall using SSH. Generating Diagnostics on page 287. see Chapter 13. see Chapter 13. services. Managing CA Certificates on page 290. For more information. Configuring Modems on page 284. For more information. Modem Used to create up to five different modem profiles. Analyzing Network Traffic on page 289. see Chapter 13. networks and hosts can be used to administer Advanced Firewall. For more information. External access Used to create rules that determine which interfaces. For more information. Diagnostics Pages Description Configuration Used to ensure that your current Advanced Firewall settings are not likely to cause tests problems. Failover Used to specify what Advanced Firewall should do in the event of a hardware failure. see Chapter 13. see Chapter 13. Administrative User Settings on page 274. Whois Used to find and display ownership information for a specified IP address or domain name. Certificates 14 Page Description Certificate authorities Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. see Chapter 13. For more information. For more information. For more information. see Chapter 13. Configuring Admin Access Options on page 272. Managing UPS Devices on page 277. Diagnostics on page 286. Installing and Uploading Firmware on page 286. . Whois on page 288. and to enable referral checking. IP tools Contains the ping and trace route IP tools. Managing Hardware Failover on page 279. IP Tools on page 288. Diagnostics Used to create diagnostic files for support purposes. For more information. Firmware upload Used to upload firmware used by USB modems. see Chapter 13. For more information. For more information. Hardware Pages Description UPS Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information. see Chapter 13. Traffic analysis Used to generate and display detailed information on current traffic. For more information.

168. IP address ranges can span subnets. For more information. Specifying Networks. see Chapter 9. For more information. SSL roadwarriors Enables you to configure and upload custom SSL VPN client scripts.10.10.168.168. It is also possible to import and export CA certificates on this page.1 IP Address Range An IP address range defines a sequential range of network hosts.10. For more information. Hosts and Ports IP Address An IP address defines the network location of a single network host.10. see Chapter 9.Smoothwall Advanced Firewall Administrator’s Guide VPN The VPN section contains the following pages: Pages Description Control Used to show the current status of the VPN system and enable you to stop and restart the service. L2TP roadwarriors Used to create and manage L2TP road warrior VPN tunnels. For more information. IPSec Road Warriors on page 151. see Chapter 9. see Chapter 9. Setting the Default Local Certificate on page 137. The following format is used: 192. Creating L2TP Road Warrior Connections on page 154. Working with Certificate Authorities and Certificates on page 131. For more information. Certificates Used to create host certificates if a local CA has been created.255 15 . For more information. see Chapter 9. Certificate authorities Used to create a local certificate authority (CA) for use in an X509 authenticated based VPN setup.168. Managing VPN Systems on page 175. For more information.12. For example: 192. Managing Certificates on page 134.168. IPSec roadwarriors Used to configure IPSec road warrior VPN tunnels. Global Used to configure global settings for the VPN system.20 192.1-192. IPSec subnets Used to configure IPSec subnet VPN tunnels. Managing Custom Client Scripts for SSL VPNs on page 164. For more information. export.1-192. from low to high. Site-to-Site VPNs – IPSec on page 138. see Chapter 9. view and delete host certificates. see Chapter 9. Configuration Guidelines This section provides guidance about how to enter suitable values for frequently required configuration settings. This page also provides controls to import. see Chapter 9.

Advanced Firewall Overview Configuration Guidelines Subnet Addresses A network or subnet range defines a range of IP addresses that belong to the same network.255.0 Service and Ports A Service or Port identifies a particular communication port in numeric format. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement.0 255.0 192.255. Examples: 255. Comments are entered in the Comment fields and displayed alongside saved configuration information. choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field.255.255. For ease of use. IP block rules and administration access rules.0.168.10.255. To use a custom port number.248. in order to describe a sequential range of communication ports from low to high.168. The format combines an arbitrary IP address and a network mask. Editing and Removing Rules Much of Advanced Firewall is configured by creating rules – for example.0/24 Netmasks A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. a number of well known services and ports are provided in Service drop-down lists. Editing a Rule To edit a rule: 1 16 Find the rule in the Current rules area and select its adjacent Mark option. The following format is used: 137:139 Using Comments Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment. 2 Click Add to create the rule and add it to the appropriate Current rules area.0/255.255.0 255. Examples: 21 7070 Port Range A 'Port range' can be entered into most User defined port fields. Creating a Rule To create a rule: 1 Enter configuration details in the Add a new rule area. and can be entered in two ways: 192. Some pages allow a network mask to be entered separately for ease of use. Creating.10. .

To connect using an SSH client: 1 Check SSH access is enabled on Advanced Firewall. 4 Click Add to re-create the edited rule and add it to the Current rules area. editing and removing rules also apply to a number of pages where hosts and users are the configuration elements being created. On such pages. Connecting via the Console You can access Advanced Firewall via a console using the Secure Shell (SSH) protocol. Configuring Admin Access Options on page 272 for more information. you can connect to Advanced Firewall via a secure shell application. See Chapter 13. 2 Start PuTTY or an equivalent client. Advanced Firewall only allows SSH access if it has been specifically configured. Note: The same processes for creating. Connecting Using a Client When SSH access is enabled.Smoothwall Advanced Firewall Administrator’s Guide 2 Click Edit to populate the configuration controls in the Add a new rule area with the rule’s current configuration values. such as PuTTY. See Chapter 13. Note: By default. 3 Change the configuration values as necessary. 3 Enter the following information: Field Description Host Name (or IP address) Enter Advanced Firewall’s host name or IP address. 17 . Removing a Rule To remove one or more rules: 1 Select the rule(s) to be removed in the Current rules area. Configuring Admin Access Options on page 272 for more information. 2 Click Remove to remove the selected rule(s). the Add a new rule and Current rules area will be Add a new host and Current users etc.

Advanced Firewall’s certificate is a self-signed certificate. Usually.Advanced Firewall Overview Secure Communication 4 Field Description Port Enter 222 Protocol Select SSH. A certificate can only contain a single site name. browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. However. Inconsistent Site Address Your browser will generate a warning if Advanced Firewall’s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. and you are accessing the site by some other name. Neither of the above issues compromise the security of HTTPS access. enter root. Note: The data traveling between your browser and Advanced Firewall is secure and encrypted. access Advanced Firewall using the hostname. You are given access to the Advanced Firewall command line. ‘ Secure Communication When you connect your web browser to Advanced Firewall’s web-based interface on a HTTPS port for the first time. your web browser needs to be told to trust certificates generated by Advanced Firewall. the hostname is used. then this warning will always be generated. To remove this warning. If you try to access the site using its IP address. your browser will display a warning that Advanced Firewall’s certificate is invalid. the names will not match. To remove this warning. secure web sites on the Internet have a security certificate which is signed by a trusted third party. See your browser’s documentation for information on how to import the certificate. and the password associated with it. When prompted. If this is not possible. and in Advanced Firewall’s case. They simply serve to illustrate that HTTPS is also about identity as well encryption. for example. To do this. Unknown Entity Warning This issue is one of identity. Click Open. import the certificate into your web browser. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site. 18 . In most cases. The details of how this are done vary between browsers and operating systems.

19 . Configuring Global Settings for Interfaces Global settings determine Advanced Firewall’s default gateway and primary and secondary DNS addresses. To configure global settings: 1 Browse to the Networking > Interfaces > Interfaces page.Chapter 3 Working with Interfaces In this chapter: • Configuring global settings for interfaces • Creating an Internet connectivity profile • Working with bridges • Working with bonded interfaces • Managing Advanced Firewall’s network interfaces • Changing the IP address.

controlled by Advanced Firewall. Each profile defines the type of connection that should be used and appropriate settings. select the Use external connectivity profile option. Ethernet/modem hybrid An Ethernet NIC routed to an external modem connected to the Internet via an ISP. see Connecting Using an Internet Connectivity Profile on page 20. When using a connectivity profile to connect to the Internet. Connecting Using an Internet Connectivity Profile Advanced Firewall supports the following Internet connection methods: Connection Method Description Ethernet An Ethernet NIC routed to an Internet connection. if one is available. To connect using a static ethernet connectivity profile: 1 On the Networking > Interfaces > Interfaces page. 20 . and you do not select this option. not controlled by Advanced Firewall. Advanced Firewall and DNS on page 302. Connecting Using a Static Ethernet Connectivity Profile The following section explains how to connect to the Internet using a static ethernet connectivity profile. For more information. enter the appropriate DNS server information within the existing infrastructure. However. see Appendix A. For more information. if more than one default gateway has been configured. each stored in its own connectivity profile. Primary DNS If Advanced Firewall is to be integrated as part of an existing DNS infrastructure. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. A static Ethernet connection enables Advanced Firewall to use a static IP address as assigned by your ISP. A modem profile is used solely for connections using dial-up modems. Note: Advanced Firewall’s default gateway should only be configured on one interface. controlled by Advanced Firewall. Secondary DNS Enter the IP address of the secondary DNS server. you may lose connectivity to Advanced Firewall if your network is not set up correctly. A modem profile contains hardware and dialling preferences to control the behavior of dial-up modem devices. Modem An internal or external modem connected to the Internet via an ISP. Up to five different connections to the Internet can be defined.Working with Interfaces Connecting Using an Internet Connectivity Profile The following settings global interface settings are available: Setting Description Default gateway This setting determines Advanced Firewall’s default gateway. The following sections explain how to connect using different connection methods.

select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. Note: If no load balance settings are enabled. Method Select Static Ethernet. enter the maximum transmission unit (MTU) value required in your environment. all connections will automatically connect at boot time. If your ISP provides a custom MTU value. If you wish boot to disable this behavior. Secondary failover ping IP Optionally. If the primary and secondary IP addresses cannot be contacted. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Load balancing is performed according to the respective weights of each connection.Smoothwall Advanced Firewall Administrator’s Guide 2 Point to the network interface card (NIC) you want to use and select Edit. all traffic will be sent out of the primary external connection. MTU Optionally. Auto connect on By default. There is also a reboot option which you can use to restart the system if all of the connections fail. if another profile has been chosen in the Automatic failover to profile drop-down menu. all traffic will be sent out of the primary external connection. enter it here. If the primary and secondary IP addresses cannot be contacted. On the Networking > Interfaces > Connectivity page. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Automatic Optionally. if another profile has been chosen in the Automatic failover to profile drop-down menu. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. 21 . Profile name Enter a name for the connection profile. 3 In the Edit interface dialog box. Note: If no load balance settings are enabled. deselect this option. enter a secondary IP address known to be contactable if the external connection is operating correctly. the connection will failover. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. Use as Select External. configure the following settings: 4 Setting Description Name Accept the default name or enter a custom name. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. the connection will failover. Note: Using this option. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly.

enter it here. Secondary DNS Enter the secondary DNS server details as provided by your ISP. deselect this option. configure the following settings: 4 Setting Description Name Accept the default name or enter a custom name. and you do not select this option.Working with Interfaces Connecting Using an Internet Connectivity Profile 5 Click Update. To connect using a DHCP Ethernet connectivity profile: 1 On the Networking > Interfaces > Interfaces page. A DHCP Ethernet connection enables Advanced Firewall to be allocated a dynamic IP address. all connections will automatically connect at boot time. if more than one default gateway has been configured. configure the following settings: Setting Description Interface From the drop-down list. as assigned by the ISP. Note: Advanced Firewall’s default gateway should only be configured on one interface. If your ISP provides a custom MTU value. 6 Address Enter the static IP address provided by your ISP. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. . Connecting using a DHCP Ethernet Connectivity Profile The following section explains how to connect to the Internet using a DHCP Ethernet connectivity profile. If you wish boot to disable this behavior. Profile name Enter a name for the connection profile. Method Select DHCP Ethernet. However. Use as Select External. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. Default gateway Enter the default gateway IP address as provided by your ISP. In the Static Ethernet settings area. Custom MTU 22 Some ISPs supply additional settings that can be used to improve connection performance. 2 Point to the network interface card (NIC) you want to use and select Edit. Auto connect on By default. you may lose connectivity to Advanced Firewall if your network is not set up correctly. enter the maximum transmission unit (MTU) value required in your environment. Click Save and connect to save the profile and connect to the Internet immediately. On the Networking > Interfaces > Connectivity page. Primary DNS Enter the primary DNS server details as provided by your ISP. 3 In the Edit interface dialog box. select the Ethernet interface for this connection. Netmask Enter the subnet mask as provided by your ISP. MTU Optionally.

if provided by your ISP. all traffic will be sent out of the primary external connection. There is also a reboot option which you can use to restart the system if all of the connections fail. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. Connecting using a PPP over Ethernet Connectivity Profile The following section explains how to connect to the Internet using a PPP over Ethernet connectivity profile. Click Update and in the DHCP Ethernet settings area. select the Ethernet interface for this connection. DHCP Hostname Optionally enter a DHCP hostname. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. if another profile has been chosen in the Automatic failover to profile drop-down menu. configure the following settings: Setting Description Interface From the drop-down list. Load balancing is performed according to the respective weights of each connection. Click Save and connect to save the profile and connect to the Internet immediately. if another profile has been chosen in the Automatic failover to profile drop-down menu.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Automatic Optionally. Note: If no load balance settings are enabled. Note: Using this option. MAC spoof Enter a spoof MAC value required. Weighting 5 6 Select from the drop-down list to assign an external connection in the load balancing pool. enter a secondary IP address known to be contactable if the external connection is operating correctly. Secondary failover ping IP Optionally. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. all traffic will be sent out of the primary external connection. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. 23 . If the primary and secondary IP addresses cannot be contacted. If the primary and secondary IP addresses cannot be contacted. the connection will failover. the connection will failover.

Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If you wish boot to disable this behavior. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. the connection will failover. Method Select PPP over Ethernet. If the primary and secondary IP addresses cannot be contacted. if more than one default gateway has been configured. and you do not select this option. On the Networking > Interfaces > Connectivity page. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. However. If the primary and secondary IP addresses cannot be contacted. all connections will automatically connect at boot time. Secondary failover ping IP Optionally. the connection will failover. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. if another profile has been chosen in the Automatic failover to profile drop-down menu. There is also a reboot option which you can use to restart the system if all of the connections fail. MTU Optionally. Use as Select External. configure the following settings: 4 Setting Description Name Accept the default name or enter a custom name. Automatic Optionally. Note: Using this option. enter the maximum transmission unit (MTU) value required in your environment. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. 2 Point to the network interface card (NIC) you want to use and select Edit. enter it here. If your ISP provides a custom MTU value. you may lose connectivity to Advanced Firewall if your network is not set up correctly. Auto connect on By default. 3 In the Edit interface dialog box. 24 . if another profile has been chosen in the Automatic failover to profile drop-down menu.Working with Interfaces Connecting Using an Internet Connectivity Profile To connect using a PPP over Ethernet connection: 1 On the Networking > Interfaces > Interfaces page. Profile name Enter a name for the connection profile. Note: Advanced Firewall’s default gateway should only be configured on one interface. deselect this option. enter a secondary IP address known to be contactable if the external connection is operating correctly.

if no PPP profile has been created. select the Ethernet interface for this connection. Or. select the PPP profile for this connection. enter the maximum transmission unit (MTU) value required in your environment. all traffic will be sent out of the primary external connection.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. if more than one default gateway has been configured. PPP Profile From the drop-down list. configure the following setting: Setting Description Default gateway Select Use external connectivity profile. Weighting 5 Select from the drop-down list to assign an external connection in the load balancing pool. you may lose connectivity to Advanced Firewall if your network is not set up correctly. Note: If no load balance settings are enabled. click Configure PPP to go to the Networking > Interfaces > PPP page and create one. Use as Select External. all traffic will be sent out of the primary external connection. 2 Point to the network interface card (NIC) you want to use and select Edit. Connecting using a PPTP over Ethernet Connectivity Profile This section explains how to configure Advanced Firewall to use a PPTP modem for Internet connectivity. Concentrator If required. MTU Optionally. However. Load balancing is performed according to the respective weights of each connection. and you do not select this option. Click Save and connect to save the profile and connect to the Internet immediately. 3 In the Edit interface dialog box. Click Update. configure the following settings: Setting Description Name Accept the default name or enter a custom name. 6 Interface From the drop-down list. enter the service name as specified by your ISP. Note: Advanced Firewall’s default gateway should only be configured on one interface. configure the following settings: Setting Description Service name If required. enter the concentrator name as specified by your ISP. Note: If no load balance settings are enabled. 25 . In the PPP over Ethernet settings area. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. To connect using a PPTP over Ethernet connection: 1 On the Networking > Interfaces > Interfaces page.

Note: If no load balance settings are enabled.Working with Interfaces Connecting Using an Internet Connectivity Profile 4 On the Networking > Interfaces > Connectivity page. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. For more information. Note: Using this option. if no PPP profile has been created. enter it here. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If the primary and secondary IP addresses cannot be contacted. select the PPP profile for this connection. click Configure PPP to go to Networking > Interfaces > Interfaces and create one. Click Update. Auto connect on By default. all connections will automatically connect at boot time. Weighting 5 Select from the drop-down list to assign an external connection in the load balancing pool. deselect this option. Secondary failover ping IP Optionally. select the Ethernet interface for this connection. all traffic will be sent out of the primary external connection. the connection will failover. if another profile has been chosen in the Automatic failover to profile drop-down menu. PPP Profile From the drop-down list. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. all traffic will be sent out of the primary external connection. Note: If no load balance settings are enabled. If you wish boot to disable this behavior. In the PPTP over Ethernet settings area. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. the connection will failover. Or. configure the following settings: Setting Description Interface From the drop-down list. Method Select PPPTP over Ethernet. If your ISP provides a custom MTU value. Profile name Enter a name for the connection profile. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. If the primary and secondary IP addresses cannot be contacted. Load balancing is performed according to the respective weights of each connection. 26 . There is also a reboot option which you can use to restart the system if all of the connections fail. enter a secondary IP address known to be contactable if the external connection is operating correctly. Automatic Optionally. if another profile has been chosen in the Automatic failover to profile drop-down menu. see Creating a PPP Profile on page 31.

Profile name Enter a name for the connection profile. enter it here. If you wish boot to disable this behavior. the connection will failover. If your ISP provides a custom MTU value. all connections will automatically connect at boot time. To connect using an ADSL/DSL modem connectivity profile: 1 On the Networking > Interfaces > Connectivity page. if another profile has been chosen in the Automatic failover to profile drop-down menu. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. If your ADSL connection uses a PPPoE connection. Gateway Enter the gateway assigned by your ISP Telephone Enter the dial telephone number as provided by your ISP. There is also a reboot option which you can use to restart the system if all of the connections fail. Click Save and connect to save the profile and connect to the Internet immediately. Connecting using an ADSL/DSL Modem Connectivity Profile Advanced Firewall can connect to the Internet using an ADSL modem. enter a secondary IP address known to be contactable if the external connection is operating correctly. Secondary failover ping IP Optionally. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select.Smoothwall Advanced Firewall Administrator’s Guide 6 Setting Description Address Enter the IP address assigned by your ISP. if another profile has been chosen in the Automatic failover to profile drop-down menu. Auto connect on By default. Netmask Enter the netmask assigned by your ISP. deselect this option. Automatic Optionally. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. If the primary and secondary IP addresses cannot be contacted. For further information. see Connecting using a PPP over Ethernet Connectivity Profile on page 23 for more information. Method Select ADSL modem. Note: To connect using an ADSL modem. see the Advanced Firewall Installation and Setup Guide. the ADSL device must have been either configured during the initial installation and setup or post-installation by launching the setup program from the system console. the connection will failover. If the primary and secondary IP addresses cannot be contacted. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. Note: Using this option. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. 27 .

configure the following settings: Setting Description Service name Leave this field blank. Auto connect on By default.Working with Interfaces Connecting Using an Internet Connectivity Profile Setting Description Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. Note: If no load balance settings are enabled. Or. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. If you wish boot to disable this behavior. To connect using an ISDN modem connectivity profile: 1 On the Networking > Interfaces > Connectivity page. For further information. 3 Click Save and connect to save the profile and connect to the Internet immediately. Profile name Enter a name for the connection profile. select the PPP profile for this connection. see Creating a PPP Profile on page 31. This section explains how to configure Advanced Firewall to connect to the Internet using an ISDN modem for Internet connectivity. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. Note: To connect using an ISDN modem. It is not required for this type of profile. Custom MTU 28 Some ISPs supply additional settings that can be used to improve connection performance. if no PPP profile has been created. It is not required for this type of profile. all connections will automatically connect at boot time. Method Select ISDN TA. enter it here. Note: If no load balance settings are enabled. PPP Profile From the drop-down list. . Concentrator Leave this field blank. Click Update. In the ADSL modem settings area. If your ISP provides a custom MTU value. all traffic will be sent out of the primary external connection. Weighting 2 Select from the drop-down list to assign an external connection in the load balancing pool. ISDN devices can be configured post-installation by launching the setup program from the system console. For more information. all traffic will be sent out of the primary external connection. see the Advanced Firewall Installation and Setup Guide. an ISDN device must have been configured during the initial installation and setup of Advanced Firewall. click Configure PPP to go to Networking > Interfaces > PPP page and create one. Load balancing is performed according to the respective weights of each connection. deselect this option. Alternatively. Connecting using an ISDN Modem Connectivity Profile Note: The following sections apply if an ISDN modem is installed in your Advanced Firewall.

the connection will failover. Note: If no load balance settings are enabled. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. If the primary and secondary IP addresses cannot be contacted. There is also a reboot option which you can use to restart the system if all of the connections fail. click Configure PPP to go to the Networking > Interfaces > Interfaces page and create one. Keep second channel up Select to force the second channel to remain open when its data rate falls below a worthwhile threshold. Click Update. enter a secondary IP address known to be contactable if the external connection is operating correctly. In the ISDN settings area. If the primary and secondary IP addresses cannot be contacted. and the data-rate of the second channel decreases below a threshold where it is of no benefit. Telephone Enter the telephone number for the ISDN connection. Or. 29 . select the PPP profile for this connection. Weighting 2 Select from the drop-down list to assign an external connection in the load balancing pool. Note: Using this option. Channels From the drop-down list. if another profile has been chosen in the Automatic failover to profile drop-down menu. configure the following settings: Setting Description PPP Profile From the drop-down list. Forcing the second channel to stay up will help prevent this from happening. Load balancing is performed according to the respective weights of each connection. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. if no PPP profile has been created. For more information. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. Note: ISDN connections sometimes suffer from changeable data throughput rates.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Automatic Optionally. see Creating a PPP Profile on page 31. select either Single channel or Dual channel. all traffic will be sent out of the primary external connection. Note: If no load balance settings are enabled. depending on whether you are using one or two ISDN lines. the connection will failover. Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. If this occurs in dual channel mode. if another profile has been chosen in the Automatic failover to profile drop-down menu. Secondary failover ping IP Optionally. Advanced Firewall will automatically close it. all traffic will be sent out of the primary external connection.

Connecting Using a Dial-up Modem Connectivity Profile This section explains how to connect to the Internet using a dial-up modem for Internet connectivity. If your ISP provides a custom MTU value. select to specify a different external connection profile to switch to failover to profile if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. enter it here. if another profile has been chosen in the Automatic failover to profile drop-down menu. if another profile has been chosen in the Automatic failover to profile drop-down menu. Note: If no load balance settings are enabled.Working with Interfaces Connecting Using an Internet Connectivity Profile 3 Setting Description Minimum time to keep second channel up (sec) Enter a minimum time. Secondary failover ping IP Optionally. Method Select Modem. in seconds. the connection will failover. the connection will failover. Custom MTU Some ISPs supply additional settings that can be used to improve connection performance. 30 . If the primary and secondary IP addresses cannot be contacted. Primary failover ping IP Enter an IP address known to be contactable if the external connection is operating correctly. Automatic Optionally. configure the following settings: Setting Description Profiles Select Empty from drop-down list and click Select. you can daisy-chain profiles to use if Advanced Firewall cannot establish a connection using the specified connection profile. If you wish boot to disable this behavior. enter a secondary IP address known to be contactable if the external connection is operating correctly. Click Save to save the profile or Save and connect to save the profile and use it to connect to the Internet immediately. There is also a reboot option which you can use to restart the system if all of the connections fail. Auto connect on By default. This option is of use when the second channel data-rate falls below the threshold for short periods of time. If the primary and secondary IP addresses cannot be contacted. deselect this option. all connections will automatically connect at boot time. Profile name Enter a name for the connection profile. if your ISDN connection experiences intermittent loss of data throughput for short periods of time. Note: Using this option. all traffic will be sent out of the primary external connection. Load balance outgoing traffic Select to ensure that outbound NATed traffic is divided among the primary external connection and any other secondary connections that have been added to the load balancing pool. To connect using a dial-up modem connectivity profile: 1 On the Networking > Interfaces > Connectivity page.

Note: If no load balance settings are enabled. This is useful for creating multiple profiles to ISPs that support a range of access technologies that are authenticated via the same user account. See Configuring Modems on page 284 for more information on modem profiles. Click Update. Click Save and connect to save the profile and use it to connect to the Internet immediately. click Configure PPP to go to Networking > Interfaces > Interfaces and create one. For more information. Creating a PPP Profile Up to five PPP profiles can be created to store username. A PPP profile contains the username. Load balancing is performed according to the respective weights of each connection. including ISDN. Telephone Enter the telephone number for the connection. The advantage of storing these settings in a PPP profile is that multiple connection profiles can refer to the same authentication and dial settings. select the modem profile to use.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy traffic connection and any other secondary connections that have themselves been added to the proxy load balancing pool. if no PPP profile has been created. In the Modem settings area. password and other settings used for dial-up type connections. select the PPP profile for this connection. password and connection-specific details for connections where Advanced Firewall controls the connecting device. all traffic will be sent out of the primary external connection. Weighting 2 Select from the drop-down list to assign an external connection in the load balancing pool. attached to Advanced Firewall. see Creating a PPP Profile on page 31. configure the following settings: Setting Description PPP Profile From the drop-down list. Or. 31 . 3 Modem profile From the drop-down list. and Ethernet/modem hybrid devices.

Working with Interfaces Creating a PPP Profile To create a PPP profile: 1 Navigate to the Networking > Interfaces > PPP page. Dial on Demand Select to ensure that the system dials for DNS requests – this is normally the for DNS desired behavior. select Empty. Type Specifies the DNS type used by your ISP. 2 Configure the following settings: Setting Description Profiles From the drop-down list. it will remain connected. Dial on Demand Select to ensure that the PPP connection is only established if an outwardbound request is made. Manual – select if your ISP has provided you with DNS server addresses to enter. if your ISP informs you to do so. Primary DNS 32 If Manual has been selected. Enter 0 to disable this setting. enter the primary DNS server IP address. This may help reduce costs if your ISP uses per unit time billing. Automatic – select if your ISP automatically allocates DNS settings upon connection. Username Enter your ISP assigned username. Method Choose the authentication method as specified by your ISP in this field. Password Enter your ISP assigned password. . regardless of the value entered in the Idle timeout field. Ensure that the relevant script type has been selected in the Method drop-down list. Script name Enter the name of a logon script here. Idle timeout Enter the number of minutes that the connection must remain inactive for before it is automatically closed by Advanced Firewall. Profile name Enter a name for the profile. Maximum retries Enter the maximum number of times that Advanced Firewall will try to connect following failure to connect. Persistent connection Select to ensure that once this PPP connection has been established.

click Add new interface. edit and delete bridges. Advanced Firewall modifies the profile. configure the following settings: Setting Description Name Enter a name for the bridge. select the profile you wish to modify and click Select. Ports From the ports listed as available. Deleting Profiles To delete a profile: 1 On the Networking > Interfaces > Connectivity page. 2 Make the changes. See Connecting Using an Internet Connectivity Profile on page 20 for information on the settings. Basic interface – Select to use the bridge as an interface with one or more IP addresses on it. from the Profiles drop-down list. enter the secondary DNS server IP address. Type Select Bridge. Working with Bridges It is possible to deploy Advanced Firewall in-line using two or more NICs to create a transparent bridge on which Deep Packet Inspection is possible. The following sections explain how to create. select the profile you wish to modify and click Select. select the ports to be used as bridge members. Creating Bridges To create a bridge: 1 On the Networking > Interfaces > Interfaces page. Use as Select one of the following: External – Select to use the bridge as an external interface. Note: Deleting a profile used as part of a current connection will cause the current connection to close. from the Profiles drop-down list. 2 Click Delete. 2 In the Add new interface dialog box. 33 . 3 Click Save to save your settings and create a PPP profile. Advanced Firewall deletes the profile. Note: Any changes made to a profile used in a current connection will only be applied following reconnection.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Secondary DNS If Manual has been selected. 3 Click Save. Modifying Profiles To modify a profile: 1 On the Networking > Interfaces > Connectivity page.

Advanced Firewall applies the changes. Basic interface – Select to use the bond as an interface with one or more IP addresses on it. Advanced Firewall adds the bond to the list on the Networking > Interfaces > Interfaces page. Creating Bonds To create a bond: 1 On the Networking > Interfaces > Interfaces page. Use as Select one of the following: External – Select to use the bond as an external interface. Working with Bonded Interfaces Advanced Firewall enables you to bind two or more NICs into a single bond. 2 In the Add new interface dialog box. 2 When prompted. point to the bridge and click Edit. Advanced Firewall adds the bridge to the list on the Networking > Interfaces > Interfaces page. Click Add. Bridge member – Select to use the bond as a member of a bridge. click Delete to confirm you want to delete the bridge. 3 Click Save changes. make the changes needed. For more information. point to the bridge and click Delete.Working with Interfaces Working with Bonded Interfaces 3 Setting Description MAC Accept the displayed MAC address or enter a new one. Advanced Firewall deletes the bridge. select the ports to be used as bond members. See Creating Bridges on page 33 for information on the settings available. . MAC 3 34 Accept the displayed MAC address or enter a new one. Bonding enables the NICs to act as one thus providing high availability. see Working with Bridges on page 33. Deleting Bridges To delete a bridge: 1 On the Networking > Interfaces > Interfaces page. Click Add. Editing Bridges To edit a bridge: 1 On the Networking > Interfaces > Interfaces page. configure the following settings: Setting Description Name Enter a name for the bond. Ports From the ports listed as available. 2 In the Edit interface dialog box. click Add new interface. Type Select Bonding.

Subnet mask Enter the subnet mask. Adding an IP Address To add an IP address: 1 On the Networking > Interfaces > Interfaces page. make the changes needed and click Save changes. 35 . click on the interface whose IP address you want to edit. click on the interface you want to add an IP address to. Gateway Optionally. 2 In the Edit interface dialog box. make the changes needed. In the Add new address dialog box. Advanced Firewall applies the changes. Note: External aliases are configured on the Networking > Interfaces > External aliases page. enter a gateway. Deleting Bonds To delete a bond: 1 On the Networking > Interfaces > Interfaces page. IP address Enter an IP address. click Add new address. 3 Click Save changes. See Chapter 4. point to the bond and click Edit. 2 In the IP addresses dialog box. Advanced Firewall applies the changes. click Delete to confirm you want to delete the bond. Editing an IP Address To edit an IP address: 1 On the Networking > Interfaces > Interfaces page. 2 When prompted. Creating an External Alias Rule on page 45 for more information. edit and delete IP addresses used by interfaces. configure the following settings: 3 Setting Description Status Select Enabled to enable the IP address for the NIC. Advanced Firewall adds the IP address to the interface. See Creating Bonds on page 34 for information on the settings available. Configuring IP Addresses The following sections explain how to add. 3 In the Edit address dialog box. Click Add.Smoothwall Advanced Firewall Administrator’s Guide Editing Bonds To edit a bond: 1 On the Networking > Interfaces > Interfaces page. point to the bond and click Delete. 2 In the IP addresses dialog box. point to the address and click Edit. Advanced Firewall deletes the bond.

2 In the Add new interface dialog box. click on the interface whose IP address you want to delete. point to the address and click Delete. just as if it were a regular network zone attached to a real NIC. VLAN ID If required.4095 to create a separate network. Spoof MAC – Optionally. select which bridge interface to use. Advanced Firewall deletes the address. 36 . select the interface to use. Spoof MAC – Optionally. For more information about whether MAC spoof settings are required. Note: We do not recommend using a VLAN tag of 1 as this can cause problems with some equipment Use as External – Select to use the VLAN as an external interface. For more information about whether MAC spoof settings are required. 3 When prompted. For more information about whether MAC spoof settings are required. Basic interface – Select to use the VLAN as a basic interface. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. see Working with Bridges on page 33. click Delete. enter a spoof MAC if required. Each VLAN is treated by Advanced Firewall as an isolated network zone. Bridge member – Select to use the VLAN as part of a bridge. Parent interface From the drop-down list of NICs available. For more information. 2 In the IP addresses dialog box. consult the documentation supplied by your ISP and modem supplier. Creating a VLAN To create a VLAN: 1 On the Networking > Interfaces > Interfaces page. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. click Add new interface. Virtual LANs Advanced Firewall supports the creation of Virtual LANs (VLANs) by binding a virtual network interface to a regular NIC on the system. Spoof MAC – Optionally. consult the documentation supplied by your ISP and modem supplier. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. enter a tag in the range 1 . Bridge interface – From the drop-down list. enter a spoof MAC if required. enter a spoof MAC if required. consult the documentation supplied by your ISP and modem supplier. Type Select VLAN. configure the following settings: Setting Description Name Enter a name for the VLAN.Working with Interfaces Virtual LANs Deleting an IP Address To edit an IP address: 1 On the Networking > Interfaces > Interfaces page.

Deleting a VLAN To delete a VLAN: 1 On the Networking > Interfaces > Interfaces page. 2 When prompted. See Creating a VLAN on page 36 for information on the settings available. The VLAN is added to the list of interfaces below where you can configure it. point to the VLAN and click Delete. make the changes needed and click Save changes.Smoothwall Advanced Firewall Administrator’s Guide 3 Click Add. 37 . Advanced Firewall deletes the VLAN. point to the VLAN and click Edit. 2 In the Edit interface dialog box. click Delete to confirm. Editing a VLAN To edit a VLAN: 1 On the Networking > Interfaces > Interfaces page.

Working with Interfaces Virtual LANs 38 .

To create a subnet rule: 1 Navigate to the Networking > Routing > Subnets page. Note: This functionality only applies to subnets available via an internal gateway.Chapter 4 Managing Your Network Infrastructure In this chapter: • Creating subnets and internal subnet aliases • Enabling and configuring the RIP service Creating Subnets Large organizations often find it advantageous to group computers from different departments. usually with network hubs and switches. floors and buildings into their own subnets. 39 . Netmask Enter a network mask that specifies the size of the subnet when combined with the network field. 2 Configure the following settings: Setting Description Network Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value.

This will be an address on a locally recognized network zone. Advanced Firewall’s RIP service can: • Operate in import. with 0 being the highest priority and the default for new routes. Enabled Select to enable the rule. use Edit and Remove in the Current rules area. 3 Metric Enter a router metric to set the order in which the route is taken. It is necessary for Advanced Firewall to be able to route to the gateway device in order for the subnet to be successfully configured. The rule is added to the Current rules table. Editing and Removing Subnet Rules To edit or remove existing subnet rules. A RIP-enabled gateway passes its entire routing table to its nearest neighbor. Using RIP The Routing Information Protocol (RIP) service enables network-wide convergence of routing information amongst gateways and routers. This sets the order in which the route is evaluated. typically every 30 seconds.Managing Your Network Infrastructure Using RIP Setting Description Gateway Enter the IP address of the gateway device by which the subnet can be found. The gateway address must be a network that Advanced Firewall is directly attached to. Click Add. Comment Enter a description of the rule. To configure the RIP service: 1 40 Navigate to the Networking > Routing > RIP page. export or combined import/export mode • Support password and MD5 authentication • Export direct routes to the system’s internal interfaces. .

RIP interfaces Select each interface that the RIP service should import/export routing information to/from. an MD5 hashed password is specified which must match other RIP devices. network hosts and the scan frequency of the RIP service. Note: There is a performance trade-off between the number of RIP-enabled devices. Select a frequent scan interval for networks with fewer hosts. The periodic exchange of routing information between RIP-enabled devices increases the ambient level of traffic on the host network. select the time delay between routing table imports and exports. Password In this mode. Password If Password is selected as the authentication method. re-enter the password to confirm it. Logging level From the drop-down menu. 41 . Scan interval From the drop-down menu. administrators responsible for larger networks should consider increasing the RIP scan interval or the suitability of the RIP service for propagating routing information. Import The RIP service will add and update its routing table from information received from other RIP enabled gateways. Again If Password is selected as the authentication method. Select one of the following options to manage authentication: None In this mode. MD5 In this mode. Export The RIP service will only broadcast its routing tables for use by other RIP enabled gateways. enter a password for RIP authentication. The following options are available: Import and Export The RIP service will add and update its routing table from information received from other RIP enabled gateways. Authentication Enabling RIP authentication ensures that routing information is only imported and exported amongst trusted RIP-enabled devices. We do not recommend this option from a security standpoint. For networks with greater numbers of hosts. a plain text password is specified which must match other RIP devices. routing information can be imported and exported between any RIP device. Direction From the drop-down menu. Accordingly. The RIP service will also broadcast its routing tables for use by other RIP enabled gateways. choose a less frequent scan interval. select how to manage routing information.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Enabled Select to enable the RIP service. select the level of logging.

For more information. select interfaces whose information should also include routes to the RIP service’s own interfaces when exporting RIP data. see About IP Address Definitions on page 43. Sources The Sources page is used to configure source rules which determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active.Managing Your Network Infrastructure Sources Setting Description Direct routing interfaces Optionally. This ensures that other RIP devices are able to route directly and efficiently to each exported interface. Internal interface From the drop-down menu. To create a source rule: 1 Navigate to the Networking > Routing > Sources page. select the internal interface that the source IP must originate from to use the external connection. Source rules can be created for individual hosts. 2 Configure the following settings: 42 Setting Description Source IP or network Enter the source IP or subnet range of internal network host(s) specified by this rule. 3 Click Save. . Creating Source Rules Source rules route outbound traffic from selected network hosts through a particular external interface. ranges of hosts or subnet ranges.

Click Add.0 to 192.168.168.0 defines a subnet range of IP addresses from 192. network and internal interface is routed via the primary external interface.168.168. Ports The Ports page is where you route outbound traffic for selected ports through a particular external interface. select Exception to create an exception rule to ensure that all outbound traffic from the specified source IP. 43 . no matter what interface is currently being used by the primary connection. e. Alternatively.10. select the external interface that is used by the specified source IP or network for external communication. select it and click Edit to populate the configuration controls in the Add a new rule region with the rule's current configuration values. Note: Using Exception will always send traffic out via the primary. 192. so a rule will only travel down this list of ports if it does not first hit a sources rule. any traffic specified here will not be subject to any load balancing. 192.g.255 IP subnet [network prefix] – An arbitrary IP address and network mask in network prefix notation. e.255.10.g. For more information. Editing a Rule To edit a rule: 1 Locate it within the Current rules region.255.0/255.168. Note: If the external interface is set to Exception. 2 Alter the configuration values as necessary.10.0 to 192. 192.10. enter a description for the source rule. see Sources on page 42. 3 Comment Optionally. you can create a rule to send all SMTP traffic down a specific external interface.Smoothwall Advanced Firewall Administrator’s Guide Setting Description External interface From the drop-down menu.10. written as quartet of dotted decimal values. Enabled Select to activate the rule. Note: The rules specified on the sources pages will always be examined first.255.0/24 defines a subnet range of IP addresses from 192.10. For example.g.1 IP subnet [dotted decimal] – An arbitrary IP address and network mask that specifies a subnet range of IP addresses.168.168.10. About IP Address Definitions Single or multiple IP addresses can be specified in a number of different manners: IP address – An identifier for a single network host. and click Add. e. Removing a Rule To remove one or more rules: 1 Select each rule in the Current rules area and click Remove.

The rule is created and listed in the Current rules area. select the protocol the traffic uses. Note: Using Exception will always send traffic out via the primary. select the select the services. 44 .Managing Your Network Infrastructure Ports Creating a Ports Rule Port rules route outbound traffic for selected ports through a particular external interface. 3 Comment Enter a description of the rule. port range or group of ports. Port If the service is user defined. no matter what interface is currently being used by the primary connection. Enabled Select to enable the rule currently active. Click Add to create the rule. select the external interface to use. 2 Configure the following settings: Setting Description Protocol From the drop down menu. 2 In the Add a new rule area. The rule is updated and listed in the Current rules area. Service From the drop down menu. External interface From the drop-down menu. make the changes you require and click Add. Editing a Rule To edit a rule: 1 Select the rule in the Current rules area and click Edit. Removing Rules To remove one or more rules: 1 Select each rule in the Current rules area and click Remove. To create a ports rule: 1 Navigate to the Networking > Routing > Ports page. Select Exception to never route the traffic via an alternative interface. enter the port number.

An external alias binds an additional public IP address to Smoothwall System’s external interface. This value is usually the same as the external interface's netmask value. select the external interface to which you want to bind an additional public IP address. Options include: All – The external alias will always be active. 2 Configure the following settings: Setting Description External interface From the drop-down list. irrespective of the currently active connection profile. use Edit and Remove in the Current rules region. 3 Alias IP Enter the IP address of the external alias. This is particularly useful for creating aliases for connection profiles that are used as failover connections. Netmask Used to specify the network mask of the external alias. Named connection profile – The external alias will only be active if the named connection profile is currently active. Connectivity profile Used to determine when the external alias is active. This value should be provided by your ISP. This address should be provided by your ISP as part of an multiple static IP address allocation. Comment A field used to assign a helpful message describing the external alias rule. Select Click to select the interface.Smoothwall Advanced Firewall Administrator’s Guide Creating an External Alias Rule Advanced Firewall enables you to associate multiple public IP addresses with a single Advanced Firewall by creating external aliases. Editing and Removing External Alias Rules To edit or remove existing external alias rules. To create an external alias rule: 1 Navigate to the Networking > Interfaces > External aliases page. Click Add. 45 . The external alias rule is added to the Current rules table. Enabled Determines whether the external alias rule is currently active.

some SMTP servers will reject the mail. Enabled Select to enable the rule. for example. leave the field blank. To create a source mapping rule: 1 Navigate to the Networking > Firewall > Source mapping page. A common use for source mapping rules is to ensure that SMTP mail servers send and receive email via the same IP address. 3 46 Alias IP From the drop-down list. enter its IP address.0/255. by creating source mapping rules.168.0 will create a source mapping rule for hosts in the IP address range 192. This problem can be alleviated by using a source mapping rule to ensure that the SMTP server uses the same IP address for inbound and outbound traffic. enter 192. i. Use the existing Networking > Firewall > Port forwarding page and select the required external alias from the Source IP drop-down list. The source mapping rule is added to the Current rules table. No special configuration is required to use this feature. and outbound mail fails to mirror the IP address as its source.168.e.255. instead of the default. the Advanced Firewall default external IP is not the MX for the email domain. For a single host. If the incoming IP address is an external alias.168.100.1 through to 192. real external IP. This allows outbound communication from specified hosts to appear to originate from the external alias IP address. . select the external alias that outbound communication is mapped to. For all hosts. This is because the mail will not appear to originate from the correct IP address.255.Managing Your Network Infrastructure Creating a Source Mapping Rule Port Forwards from External Aliases Advanced Firewall extends your system’s port forwarding capabilities by allowing port forward rules to be created that can forward traffic arriving at an external alias.255. Click Add. Creating a Source Mapping Rule Advanced Firewall enables you to map internal hosts to an external IP alias. enter an appropriate IP address and subnet mask combination. For a network of hosts. Comment Enter a description of the rule. 2 Configure the following settings: Setting Description Source IP Enter the source IP or network of hosts to be mapped to an external.100.100.

• No DHCP service – DHCP servers cannot serve a logical subnet. 47 . Note: Use of this feature is not normally recommended for the following reasons: • No physical separation – Internal aliases should not be considered as a substitute for physically separating multiple networks. Note: No services will run on the alias IP. thus enabling it to route packets to and from IP addresses on a virtual subnet – without the need for physical switches. • No direct DNS or proxy access – The DNS proxy and web proxy services cannot be accessed by hosts on a logical subnet. Generally. Requests for such services must be routed via the IP address of the physical interface – this is not the case when an alias is in use.Smoothwall Advanced Firewall Administrator’s Guide Editing and Removing Source Mapping Rules To edit or remove existing source mapping rules. Note: This function is recommended only for experienced network administrators. Network users can join a logical subnet by changing their IP address. as there are a number of security implications and limitations that using this feature will impose on the rest of your network. Internal aliases can be used to create logical subnets amongst hosts within the same physical network zone. Internal alias rules are used to create such bindings on an internal network interface. use Edit and Remove in the Current rules area. Managing Internal Aliases Advanced Firewall can be configured to create internal aliases for each installed NIC. internal aliases should only be created in special circumstances. Creating an Internal Alias Rule To create an internal alias rule: 1 Navigate to the Interfaces > Internal aliases page. as it is impossible for it to know which subnet (physical or logical) that the client should be on.

Working with Secondary External Interfaces The Secondaries page is used to configure an additional. use Edit and Remove in the Current rules area. ranges of hosts and subnets out across either the primary or secondary external interface. To configure a secondary external interface: 1 48 Navigate to the Networking > Interfaces > Secondaries page. Configuring a Secondary External Interface Note: It is not possible to perform L2TP or OpenVPN connections to secondary interfaces. Enabled Select to enable the rule. Comment Enter a description of the rule. select the internal interface on which to create the alias. Once a secondary external interface is active. The internal alias rule is added to the Current rules table. NATing its own outbound traffic.Managing Your Network Infrastructure Working with Secondary External Interfaces 2 Configure the following settings: Setting Description Interface From the drop-down menu. A secondary external interface will operate independently of the primary external interface. 3 Netmask Enter a network mask that specifies the size of the subnet accessible via the internal alias (when combined with a network value). Editing and Removing Internal Alias Rules To edit or remove existing internal alias rules. Click Add. the system can be configured to selectively route different internal hosts. secondary external interface. IP address Enter an IP address for the internal alias. .

primary or secondary. Secondary failover ping IP Optionally. If this IP address cannot be contacted. the IP address is pinged every two minutes over the secondary to ensure that the connection is active. 49 . Note: If no load balance options are enabled. the IP address is pinged every two minutes over the secondary to ensure that the connection is active.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Secondary external interface From the drop-down list. select to add the currently selected secondary address to the load outgoing traffic balancing pool of connections. Selecting this option ensures that outbound NATed traffic is divided among the currently selected secondary address and any other connections. that have been added to the load balancing pool. specify an IP address that you know can be contacted if the ping IP secondary connection is operating correctly. Address Enter the IP address. Load balance Optionally. all traffic will be sent out of the primary external connection. select the interface you want to use as the secondary external interface. When enabled. Enabled Select to enable the interface Primary failover Optionally. Select Click to select the interface. specify an additional IP address that you know can be contacted if the secondary connection is operating correctly. Netmask Enter the netmask. that have themselves been added to the proxy load balancing pool. Selecting this option ensures that web proxy traffic is divided among the currently selected secondary address and any other connections. If this IP address and the primary failover ping IP cannot be contacted. Note . select to add the currently selected secondary address to the proxy load balancing pool. Load balance web proxy traffic Optionally. If a secondary failover IP has been entered.If no load balance tick-box controls are selected. all traffic will be sent out of the primary external connection. When enabled. all outbound traffic will be redirected to the primary connection. it must also fail before failover routing is activated. primary or secondary. all outbound traffic will be redirected to the primary connection. Default gateway Enter the default gateway.

3 50 Click Save to save your settings and enable the secondary external interface. For example: • A connection weighted 10 will be given 10 times as much load as a connection weighted 1. • A connection weighted 6 will be given 3 times as much load as a connection weighted 2. select to set the weighting for load balancing on the currently selected secondary address.Managing Your Network Infrastructure Working with Secondary External Interfaces Setting Description Weighting Optionally. . The weighting value is especially useful for load balancing external connections of differing speeds. • A connection weighted 2 will be given twice as much load as a connection weighted 1. A weighting is assigned to all external connections in the load balancing pool and load balancing is performed according to the respective weights of each connection.

Blocking by IP IP block rules can be created to block network traffic originating from certain source IPs or network addresses. To create an IP block rule: 1 Navigate to the Networking > Filtering > IP block page. or between certain parts of distinct networks. however. IP block rules can also operate in an exception mode – allowing traffic from certain source IPs or network addresses to always be allowed. 51 . IP block rules are primarily intended to block hostile hosts from the external network.Chapter 5 General Network Security Settings In this chapter: • Using IP blocking to block source IPs and networks • Reviewing network interface information • Fine-tuning network communications using the advanced networking features • Creating groups of ports for use throughout Advanced Firewall. it is sometimes useful to use this feature to block internal hosts. if an internal system has been infected by malware. for example. Creating IP Blocking Rules IP block rules block all traffic to/from certain network hosts.

Enabled Select to enable the rule. Exception Select to always allow the source IPs specified in the Source IP or Network field to communicate. for example.General Network Security Settings Configuring Advanced Networking Features 2 Configure the following settings: Control Description Source IP or network Enter the source IP. describe the IP block rule. 3 Log Select to log all activity from this IP. Click Add.0 or 192.168.168. Such traffic is not routed via the firewall.1-192.168.10. The rule is added to the Current rules table. enter its IP address. • A range of network hosts. • A subnet range of network hosts. 192. for example. • A range of network hosts.168. • A subnet range of network hosts.255.0/24.168. use Edit and Remove in the Current rules area. enter an appropriate subnet range.168. 192. where one IP block rule drops traffic from a subnet range of IP addresses. Destination IP or Enter the destination IP.10.10. Exception block rules are typically used in conjunction with other IP block rules. Comment Optionally. for example: 192.255.10. regardless of all other IP block rules. Editing and Removing IP Block Rules To edit or remove existing IP block rules. Reject packet Select to cause an ICMP Connection Refused message to be sent back to the originating IP.1-192. for example: 192.10. IP range or subnet range of IP addresses to block or network exempt. enter its IP address.255.1. for example: 192. for example: 192.10.15. To block or exempt: • An individual network host. Configuring Advanced Networking Features Advanced Firewall’s advanced networking settings can help prevent denial of service (DoS) attacks and enforce TCP/IP standards to restrict broken network devices from causing disruption.15. The effect is similar to disconnecting the appropriate interface from the network. IP range or subnet range of IP addresses to block or exempt. for example.168.0/255. enter an appropriate IP address range.10. and no communication will be possible.255.168.10.0 or 19 Drop packet Select to ignore any request from the source IP or network. To block or exempt: • An individual network host. 52 . and therefore cannot be blocked by it. enter an appropriate subnet range. Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the same subnet. and another IP block rule creates exception IP addresses against it.10.0/255.1.168. enter an appropriate IP address range.

Smoothwall Advanced Firewall Administrator’s Guide To configure advance networking features: 1 Navigate to the Networking > Settings > Advanced page. 2 Configure the following feature settings: Setting Description Block and ignore ICMP ping broadcasts – Select to prevent the system responding to broadcast ping messages from all network zones (including external). 53 .0. IGMP packets – Select this option to block and ignore multi-cast reporting Internet Group Management Protocol (IGMP) packets.0 from ISPs and prevent them generating large volumes of spurious log entries. enable this option to ignore IGMP packets without generating log entries. Generally. Multicast traffic – Select this option to block multicast messages on network address 224. This can prevent the effects of a broadcast ping-based DoS attack. but this can also make connectivity problems more difficult to diagnose. ICMP ping – Select to block all ICMP ping requests going to or through Advanced Firewall. With this option enabled. If your logs contain a high volume of IGMP entries. SYN+FIN scans result in large numbers of log entries being generated. This will effectively hide the machine from Internet Control Message Protocol (ICMP) pings. SYN+FIN packets – Select to automatically discard packets used in SYN+FIN scans used passively scan systems.0. IGMP packets are harmless and are most commonly observed when using cable modems to provide external connectivity. the scan packets are automatically discarded and are not logged.

The use of SYN cookies is a standard defence mechanism against this type of attack. In normal situations. Connection tracking Select to store information about all connections known to the system. 54 . A SYN flood attack is where a huge number of connection requests. SYN packets. table size This includes NATed sessions. the aim being to avoid a DoS attack. SYN backlog queue size Select this option to set the maximum number of requests which may be waiting in a queue to be answered. ARP filter – Select this option to enable the ARP filter. Occasionally. but in very big networks. This option can be enabled if your network is experiencing ARP flux. For this reason. this feature is disabled by default. it requires communicating hosts to support it. The value entered in this field determines the table’s maximum size. Window scaling – Select this option to enable TCP window scaling to improve the performance of TCP on high speed links. the table is automatically scaled to an appropriate size within this limit. and some routers are known to drop packets marked with the ECN bit. is insufficient – use this field to configure a larger size. TCP timestamps – Select this option to enable TCP timestamps (RFC1323) to improve TCP performance on high speed links. the default size. according to the number of active connections and their collective memory requirements. are sent to a machine in the hope that it will be overwhelmed. The default value for this setting is usually adequate. While effective. select a bigger value. the default value of 2048 will be adequate. and traffic passing through the firewall. but increasing the value may reduce connection problems for an extremely busy proxy service. ECN – Select this option to enable Explicit Congestion Notification (ECN).General Network Security Settings Configuring Advanced Networking Features Setting Enable Description SYN cookies – Select to defend the system against SYN flood attacks. In operation. a mechanism for avoiding network congestion. Directly connected machines are those which are not behind a intermediate router but are instead directly attached to one of Advanced Firewall's network interfaces. Selective ACKs – Select this option to enable selective ACKs (RFC2018) to improve TCP performance when packet loss is high. ARP table size You should increase the ARP table size if the number of directly connected machines or IP addresses is more then the value shown in the drop-down box. which is set according to the amount of memory.

Creating port groups significantly reduces the number of rules needed and makes rules more flexible. Direct outgoing traffic – Select to log all new connections from any interface.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Audit Traffic auditing is a means of recording extended traffic logs for the purpose of analyzing the different types of incoming. Drop all direct traffic Select any internal interfaces which have hosts on them that do not require on internal interfaces direct access to the system but do require access to other networks connected to Advanced Firewall. Forwarded traffic – Select to log all new connections passing through one interface to another. Traffic auditing logs are viewable on the Logs and reports > Logs > Firewall page. 55 . Note: It is possible that auditing traffic generates vast amounts of logging data. 3 Click Save to enable the settings you have selected. you can create a port group to make a single port forward to multiple ports and modify which ports are in the group without having to recreate the rules that use it. Direct incoming traffic – Select to log all new connections to all interfaces that are destined for the firewall. Working with Port Groups You can create and edit named groups of TCP/UDP ports for use throughout Advanced Firewall. Ensure that the quantity of logs generated is acceptable. For example. outgoing and forwarded traffic. In this way you could easily add a new service to all your DMZ servers.

General Network Security Settings Working with Port Groups Creating a Port Group To create a port group: 1 Navigate to the Networking > Settings > Port groups page. Port Enter the port number or numbers. 2 Configure the following settings: Setting Description Port groups From the drop-down list. 2 In the Port groups area. create a separate entry for each port number. enter the start and end numbers. separated by : for example: 1024:65535 For non-consecutive ports. Adding Ports to Existing Port Groups To add a new port: 1 Navigate to the Networking > Settings > Port groups page. . Name 56 Enter a name for the port or range of ports you want to add to the group. add a descriptive comment for the port or port range. ports or port range is added to the group. click New and configure the following settings: Setting Description Group name Enter a name for the port group and click Save. Click Add. Comment 3 Optionally. The port. select the group you want to add a port to and click Select. For a range. enter the number. Name Enter a name for the port or range of ports you want to add to the group. For one port.

Click Add. enter the number. 2 From the Port groups drop-down list. 3 In the Current ports area. select the group you want to edit and click Select.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Port Enter the port number or numbers. The port. edit the port and click Add. For one port. ports or range are added to the group. 4 In the Add a new port. 2 From the Port groups drop-down list. separated by : for example: 1024:65535 Comment 3 Optionally. Editing Port Groups To edit a port group: 1 Navigate to the Networking > Settings > Port groups page. The edited port. Deleting a Port Group To delete a Port group: 1 Navigate to the Networking > Settings > Port groups page. Note: Deleting a port group cannot be undone. ports or range is updated. For a range. select the port you want to change and click Edit. select the group you want to delete and click Select. enter the start and end numbers. 3 Click Delete. add a descriptive comment for the port or port range. 57 .

General Network Security Settings Working with Port Groups 58 .

a bi-directional. Zone bridging is the process of modifying this.g. using a named port and protocol. Source Defines whether the bridge is accessible from an individual host. in order to allow some kind of communication to take place between a pair of network zones. e. single-host to single-host bridge. a range of hosts. In general. a network or any host. a network or any hosts. any-host to any-host bridge.g. About Zone Bridging Rules By default.Chapter 6 Configuring Inter-Zone Security In this chapter: • How bridging rules allow access between internal network zones. e. Destination Defines whether the bridge allows access to an individual host. It is possible to create a narrow bridge. a range of hosts. 59 . Protocol Defines what protocol can be used across the bridge. all internal network zones are isolated by Advanced Firewall. Direction Defines whether the bridge is accessible one-way or bi-directionally. A zone bridging rule defines a bridge in the following terms: Term Description Zones Defines the two network zones between which the bridge exists. make bridges as narrow as possible to prevent unnecessary or undesirable use. Service Defines what ports and services can be used across the bridge. or a wide or unrestricted bridge. a one-way. Creating a Zone Bridging Rule Zone bridging rules enable communications between specific parts of separate internal networks. using any port and protocol.

2 Configure the following settings: Setting Description Source interface From the drop-down menu.10. for example: 192.1-192. for example: 192.0/255. Enter the destination IP. Protocol From the drop-down list. . select a specific protocol to allow for communication between the zones or select All to allow all protocols. • A subnet range of network hosts.10. enter an IP address range. leave the field blank.168. 192. enter its IP address.255. Destination interface From the drop-down menu. enter a subnet range.168. To create a bridge to: • A single network. IP range or subnet range to which access is permitted. • To create a bridge to any network host in the destination network.255. • A range of network hosts.Configuring Inter-Zone Security Creating a Zone Bridging Rule To create a zone bridging rule: 1 Navigate to the Networking > Filtering > Zone bridging page. ensure that this option is not selected.168.168. Bidirectional Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface. select the source network zone.0/24. select the destination network zone.168.255.168.1. enter its IP address. IP range or subnet range from which access is permitted.10. • A subnet range of network hosts.168. for example: 192.168.168.10.0/24. • Any network host in the source network.10.15. for example.1.10.0 or 192.10.0/255.0 or 192.10. 192.15. Source IP Enter the source IP.1-192.168. for example.10. To create a bridge from: Destination IP 60 • A single network host. Note: To create a one-way bridge where communication can only be initiated from the source interface to the destination interface and not vice versa. 192. enter an appropriate IP address range: for example.255. • A range of network hosts. enter an appropriate subnet range.10. leave the field blank.

Click Add. leave the field blank to permit access to all ports for the relevant protocol.100. select All. The rule is added to the Current rules table. select the protected network. we will create a DMZ that: • Allows restricted external access to a web server in the DMZ. select User defined and leave the Port field blank to permit access to all ports for the relevant protocol. In this example. A single zone bridging rule will satisfy the bridging requirements.200. A Zone Bridging Tutorial In this tutorial. Or.0/24 DMZ Contains a web server. 61 . select the DMZ. while a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ.0/24 Note: The DMZ network zone is a DMZ in name alone – until appropriate bridging rules are created.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Service From the drop-down list. 192.168. Or. Editing and Removing Zone Bridge Rules To edit or remove existing zone bridging rules. port range or group of ports to which access is permitted.168. 192. Port If User defined is selected as the destination port. select the services. use Edit and Remove in the Current rules area. neither zone can see or communicate with the other. we will use the following two local network zones: Network zone Description IP address Protected network Contains local user workstations and confidential business data. 3 Comment Enter a description of the bridging rule. Note: This is only applicable to TCP and UDP. • Allows unrestricted access to the DMZ from the protected network. from the Internet. • Does not allow access to the protected network from the DMZ. specify the port number. Protocol From the drop-down list. Creating the Zone Bridging Rule To create the rule: 1 Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: Settings Description Source interface From the drop-down menu. Enabled Select to enable the rule. Destination interface From the drop-down menu.

. Click Add. Enter 3306. Enabled Select Enabled to activate the bridging rule once the bridging rule has been added. Protocol From the drop-down menu. Allowing Access to the Web Server To allow access to a web server in the DMZ from the Internet: 1 2 Navigate to the Networking > Firewall > Port forwarding page and configure the following settings: Setting Description Protocol From the drop-down list. Comment Enter a description. Click Add. select DMZ. Destination IP Enter the IP address of the web server 192.10 Destination IP Enter the database’s IP address: 192. As a extension to the previous example. but not vice versa.200. Source From the drop-down menu. Click Add. select TCP. 2 62 Destination interface From the drop-down menu. select HTTP (80) to forward HTTP requests to the web server.168. Hosts in the protected network will now be able to access any host or service in the DMZ. Comment Enter a comment: DMZ web server to Protected Network DB.168. Source IP Enter the web server’s IP address: 192. such as Port forward to DMZ web server. Accessing a Database on the Protected Network Multiple zone bridging rules can be used to further extend the communication allowed between the zones. Enabled Select to activate the bridging rule once it has been added. a further requirement might be to allow the web server in the DMZ to communicate with a confidential database in the Protected Network.100.Configuring Inter-Zone Security A Zone Bridging Tutorial 2 Settings Description Comment Enter a description of the rule. To create the rule: 1 Navigate to the Networking > Filtering > Zone bridging page and configure the following settings: Setting Description Source interface From the drop-down menu.200. select Protected Network. select TCP.50 Service Select User defined.168.10. Enabled Select to activate the port forward rule once it has been added. Port The database service is accessed on port 3306.

either automatically when they try to initiate outbound web access or manually by browsing to the secure SSL Login page.g. A group bridging rule defines a bridge in the following terms: Group – The group of users from the authentication sub-system that may access the bridge. allow access to any host. Creating Group Bridging Rules Group bridging rules apply additional zone communication rules to authenticated users. In general. or that are allowed by any active zone bridging rules. Like zone bridges. IP ranges. Authentication can also be provided by any other mechanism used elsewhere in the system.g. Authentication and User Management on page 193. meaning that users must be preauthenticated before group bridging rules can be enforced by Advanced Firewall. using any port and protocol). Group bridging is the process of modifying this default security policy. in order to allow authenticated users from any network zone to access specific IP addresses. bridges should be made as narrow as possible to prevent unnecessary or undesirable use. a range of hosts. 63 . Authenticated groups of users can be bridged to a particular network by creating group bridging rules. Service – Defines what ports and services can be used across the bridge. using a named port and protocol) or wide (e. subnets and ports within a specified network zone.Smoothwall Advanced Firewall Administrator’s Guide Group Bridging By default. see Chapter 10. For further information about authentication. Users can authenticate themselves using the authentication system’s Login mechanism. Destination – Defines whether the bridge allows access to an individual host. allow access to a single host. group bridges can be narrow (e. a subnet of hosts or any hosts. Group Bridging and Authentication Group bridging uses the core authentication mechanism. Zone – The destination network zone. authenticated users may only access network resources within their current network zone. Protocol – Defines what protocol can be used across the bridge.

select the group of users that this rule will apply to. • Any network host in the destination network. select the service.10. If this field is blank. Destination IP Enter the destination IP.10.10. enter an appropriate IP address range.168.255. for example: 192.168. enter a destination port or range of ports. select a specific protocol to allow for communication between the zones or select All to allow all protocols. for example: 192. Select Click to select the group. • A subnet range of network hosts in the destination network.168. port or port range to be used. To restrict to a custom port.10.0/ 255. Click Add. To allow any service or port to be used. select User defined and leave the Port field empty. enter its IP address. The rule is added to the Current rules table.15. 2 Configure the following settings: Setting Description Groups From the drop-down menu. for example: 192. .168. • A range of network hosts in the destination network.1.1-192.10. Destination interface Select the interface that the group will be permitted to access. Service From the drop-down list.Configuring Inter-Zone Security Group Bridging To create a group bridging rule: 1 Navigate to the Networking > Filtering > Group bridging page.255. Enabled Select to enable the rule. all ports for the relevant protocol will be permitted. Comment Enter a description of the rule. To create a rule to allow access to: • A single network host in the destination network.168. Protocol From the drop-down list. 3 64 Port If applicable.0 or 192. leave the field blank.0/24. select User defined and enter a port number in the Port field. enter an appropriate subnet range. IP range or subnet range that the group will be permitted to access.

use the Edit and Remove buttons in the Current rules region. 65 .Smoothwall Advanced Firewall Administrator’s Guide Editing and Removing Group Bridges To edit or remove existing group bridging rules.

Configuring Inter-Zone Security Group Bridging 66 .

Port Forward traffic if it was destined for a particular port or range of ports. IP address range or subnet range. Source IP Forward traffic if it arrived at a particular external interface or external alias. Protocol Forward traffic if it uses a particular protocol. Destination IP A port forward will send traffic to a specific destination IP.168.168. It is common to think of such requests arriving from hosts on the Internet. regardless of whether the external interface connects to the Internet or some other external network zone. Introduction to Port Forwards – Inbound Security Port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone.60. If the web server has an IP address of 192. Port Forward Rules Criteria Port forward rules can be configured to forward traffic based on the following criteria: Criterion Description External IP Forward traffic if it originated from a particular IP address. you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a De-Militarized Zone (DMZ). For example.60.2.2. 67 . however. Destination port A port forward will send traffic to a specific destination port. you can create a port forward rule to forward all port 80 TCP traffic to port 81 on 192. port forwards can be used to forward any type of traffic that arrives at an external interface.Chapter 7 Managing Inbound and Outbound Traffic In this chapter: • How port forward rules work • Application helpers which allow traffic passing through the firewall to work correctly • How to manage outbound access to IP addresses and networks.

we recommend that all port forwards are directed towards hosts in isolated network zones. Or. that preferably contain no confidential or security-sensitive network hosts. to create a port forward rule that will forward all external hosts (such as that required to port forward anonymous HTTP requests from any network host to a web server). Protocol From the drop-down list. a port forward is bound to the primary external connection.e. Port forwards allow unknown hosts from the external network to access a particular internal host. i. By default. choose the TCP option. select the network protocol for the traffic that you want to forward. For example. If a cracker manages to break into a host that they have been forwarded to. select the interface that the port forward will be bound to. For this reason. to port forward a HTTP request. which is a TCP-based protocol. However. Any network is only as secure as the services exposed upon it. if you have a secondary external connection you can assign a port forward explicitly to it. 68 . a DMZ scenario. 2 Configure the following settings: Setting Description External interface From the drop-down menu. Creating Port Forward Rules To create a port forward rule: 1 Navigate to the Networking > Firewall > Port forwarding page.Managing Inbound and Outbound Traffic Introduction to Port Forwards – Inbound Security Note: It is important to consider the security implications of each new port forward rule. Use the Networking > Filtering > Zone bridging page to ensure that the target host of the port forward is contained within a suitably isolated network. address range or subnet range of the external hosts allowed to use this rule. they may gain access to other hosts in the network. leave this field blank. External IP or network Enter the IP address. Select Click to select the external interface specified.

Load Balancing Port Forwarded Traffic Advanced Firewall enables you to load balance port forwarded traffic to different network hosts. enter a single port or port range. Editing and Removing Port Forward Rules To edit or remove existing port forward rules. enter a destination port. Enabled Select to enable the rule. port range or group of ports. create a port forward rule to the first network host. port range or group of ports. select the service. For example: 1000:1028 covers the range of ports from 1000 to 1028. 3 Comment Enter a description of the port forward rule. Destination IP Enter the IP address of the network host to which traffic should be forwarded. The port forward rule is added to the Current rules table. IPS Select to deploy intrusion prevention. select User defined. See Creating Port Forward Rules on page 68 for more information. select the service. To load balance port forwards: 1 On the Networking > Firewall > Port forwarding page. how you can manage bad traffic actions. this will be the IP of the default external connection. port. See Chapter 8. to specify a user defined port. Or. Leave this field empty to create a port forward that uses the source port as the destination port. Advanced Network and Firewall Settings The following sections explain network application helpers. the destination port will be the same as the port that the connection came in on. Port ranges are specified using an A:B notation. Click Add. Note: Only applies to the protocols TCP and UDP. Advanced Firewall automatically balances the traffic between the hosts. User defined If User defined is selected in the Source service drop-down menu. port. Destination service From the drop-down menu. 69 . reflective port forwarding and connectivity failback. then this will be used as the target. 2 On the Networking > Firewall > Port forwarding page. Source service From the drop-down menu.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Log Select to log all port forwarded traffic. If it contains a single port. use Edit and Remove in the Current rules area. In most cases. User defined If User defined is selected as the destination service. select User defined. Deploying Intrusion Prevention Policies on page 115 for more information. Source IP Select the external IP alias that this rule will apply to. create another port forward rule using exactly the same settings except for the destination IP to the second network host. If left blank and the source service value specified a port range. Or.

In this case. this application helper should be used. H323 When enabled. This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. For this reason. IRC IP information is embedded within IRC traffic – this helper application ensures that IRC communication is not adversely affected by the firewall. This is the PPTP client protocol used in standard Windows VPNing. it is possible to receive incoming H323 calls through the use of a port forward on the H323 port. this option is not enabled by default. To enable helper applications: 1 Navigate to the Networking > Firewall > Advanced page. Advanced When enabled. We recommend that you only enable this feature if you require VoIP functionality. Additionally. it is still possible for PPTP clients to connect through to a server on the outside. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. loads special software modules to help PPTP clients. loads modules to enable passthrough of H323. a common protocol used in Voice over IP (VoIP) applications. support If this option is not selected. it is not possible to forward PPTP traffic. Without this option enabled. Note: When this application helper is enabled. The following helper applications are available: Application Description FTP IP information is embedded within FTP traffic – this helper application ensures that FTP active mode client connections are not adversely affected by the firewall. but not in all circumstances. it will not be possible to make VoIP calls. with this option enabled. 70 .Managing Inbound and Outbound Traffic Advanced Network and Firewall Settings Network Application Helpers Advanced Firewall includes a number of helper applications which must be enabled to allow certain types of traffic passing through the firewall to work correctly.

you can drop traffic silently which enables you to ‘stealth’ your firewall and make things like port scans much harder to do. the reflective port forwards option allows port forwards originating on an internal network to reach a host on the same network. 2 Optionally. Using the Bad external traffic action option. To manage bad external traffic: 1 Navigate to the Networking > Firewall > Advanced page. To configure connectivity failback: 1 On the Networking > Firewall > Advanced page. For more information on connectivity profiles. 2 From the Connectivity failback profile drop-down menu. select Drop to drop traffic silently. To configure reflective port forwards: 1 Navigate to the Networking > Firewall > Advanced page. Connecting Using a Static Ethernet Connectivity Profile on page 20. or Reject to reject the traffic and notify the sender. 2 From the Bad external traffic drop-down list. when enabled. go to the Connectivity Failback area. This makes it possible to access a port forwarded service from inside the internal network using the same (external) address as an external host would. Managing Bad External Traffic By default. in the Advanced area. Managing Connectivity Failback The following sections explain how to configure failback and automatic failback for connectivity profiles.Smoothwall Advanced Firewall Administrator’s Guide To enable a helper application: 1 In the Network application helpers area. 71 . see Chapter 3. Advanced Firewall applies and saves the changes. 2 Enable Reflective port forwards and click Save changes. port forwards are not accessible from within the same network where the destination of the forward resides. This runs Advanced Firewall in a stealth-like manner and makes things like port scans much harder to do. bad traffic is rejected and a ‘No one here’ ICMP message is bounced back to the sender. 3 Click Save changes to implement your selection. However. This is what Internet hosts are meant to do. select Drop to silently discard the traffic and not send a message to the sender. 3 Click Save changes. 3 Click Save changes. select the application(s) you require. Configuring Connectivity Failback The following section explains how to configure Advanced Firewall to revert to a specific connectivity profile after reboot if its primary connectivity profile has failed. Configuring Reflective Port Forwards By default. select the profile to use after reboot if the primary connectivity profile has failed.

Reject all with logging Reject all outbound access to the Internet except for listed ports and log the rejections. the following port rules are predefined: Predefined port rules Description Allow all Allow unrestricted outbound access to the Internet. customizable port rules which allow or reject network traffic or specific services access on certain ports.Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services Configuring Automatic Failback It is possible to configure Advanced Firewall to enable automatic failback. go to the Connectivity Failback area. For more information. This is attempted once a day. Reject MS ports Reject outbound access on the listed ports which are associated with Microsoft Windows local area networking. Advanced Firewall automatically attempts to revert to the connectivity failback profile specified in the Connectivity Failback area daily. see Managing Blocked Services on page 74. To configure automatic failback: 1 On the Networking > Firewall > Advanced page. 2 Enable Automatic failback and click Save changes. Managing Outbound Traffic and Services The following sections discuss port and access rules which are used to control outbound network traffic and services. Predefined Port Rules Advanced Firewall contains a number of predefined. For more information on outbound access rules. Allow basic services Allow services common to most user computers. Reject all P2P Reject all peer to peer outbound access to the Internet on listed ports. 72 Reject known exploits Reject outbound access on the listed ports which are associated with many common exploits against programs and services. Working with Outbound Access Policies on page 76. . Allow email services Allow email services on listed ports. Advanced Firewall applies and saves the changes. Currently. Reject all Reject all outbound access to the Internet except for listed ports. When enabled. including web browsing (HTTP and HTTPS) and DNS on listed ports. Working with Port Rules Port rules are used when creating outbound access rules which determine how outbound network traffic and services are managed.

This name will be displayed where ever the rule can be selected. The following dialog box opens. Action Select one of the following actions: Reject only listed ports – Reject outbound access on listed ports but allow on all other ports. Allow only listed ports – Allow outbound access on listed ports but reject on all other ports. To create a port rule: 1 Navigate to the Networking > Outgoing > Ports page.Smoothwall Advanced Firewall Administrator’s Guide Creating a Port Rule It is possible to create a custom port rule. 2 Click Add new port rule. 3 Configure the following settings: Setting Description Name Enter a name for the port rule. 73 .

Managing Blocked Services Advanced Firewall is able to detect and block service activity such as Skype and BitTorrent using deep packet inspection. The port is added to the port rule.Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services Setting Description Rejection logging Select if you want to log outbound requests rejected by this rule. • Enter a custom port number or range of ports if User defined is selected in the Service drop-down list. see Managing Blocked Services on page 74 5 Click Add new port/service. Note: This generates a lot of data and should be used with care. see. Click Add. Stealth mode 4 Select if you want to log but not reject outbound requests. port range or group of ports you want to allow or deny access to. To configure blocking services: 1 74 On the Networking > Outgoing > Ports page. Note: Some services use unpredictable port numbers to evade port-based outbound access rules. . select the port. Destination port Select one of the following: Comment 7 • Any – Any destination port. • From the drop-down menu. The following dialog box opens. select the network protocol to add to the port. Advanced Firewall adds the port rule to the Port rules list. A port range is specified using from:to notation. Enter a description of the port. Click the rule’s content arrow. To control access to these services. Protocol From the drop-down menu. 6 Configure the following settings: Setting Description Status Select to enable the rule. The ports/services in the rule are displayed. for example: 1024:2048. locate the port rule for which you want to configure services. Click Add.

The ports/services contained in the rule are displayed. The following dialog box opens. Note: The types of services available depend on what Deep Packet Inspection licensing you have purchased. 3 Click Save changes to apply the changes and close the dialog box. In the Edit port/service dialog box. 2 In the Edit port rule dialog box. See Creating a Port Rule on page 73 for information on the settings available. 75 . 4 Select the services you want to block. Deleting a Port Rule To delete a port rule: 1 On the Networking > Outgoing > Ports page. Advanced Firewall applies the settings and starts blocking the services selected.Smoothwall Advanced Firewall Administrator’s Guide 2 Click the rule’s content arrow. point to the port rule and select Edit. point to the rule and select Delete. Editing a Port Rule To edit a port rule: 1 On the Networking > Outgoing > Ports page. See Creating a Port Rule on page 73 for information on the settings available. When prompted. Editing a Port Rule’s Contents To edit the contents of a port rule: 1 On the Networking > Outgoing > Ports page. make any changes required. The ports/services contained in the rule are displayed. click Delete to confirm that you want to delete the rule and its contents. make any changes required. 2 Point to the port/service and click Edit. 3 Click Save changes to apply the changes and close the dialog box. Contact your Smoothwall representative for more information 5 Click Save to save the settings and close the dialog box. click the rule’s content arrow. 3 Point to Blocked services and click Edit.

Group From the drop-down menu. 76 . see Working with Port Rules on page 72. By default. the Default policy is applied. Note: Once traffic matches a policy. select the group to which the outbound access policy applies. Comment Enter a description for the policy. Port rule From the drop-down menu.Managing Inbound and Outbound Traffic Managing Outbound Traffic and Services Working with Outbound Access Policies Advanced Firewall enables you to create policies which determine outbound access for network traffic and services depending on: • the group(s) an authenticated user belongs to. To assign a policy to a group of users: 1 Navigate to the Networking > Outgoing > Policies page. 3 Configure the following settings: Setting Description Status Select Enabled to enable the policy. Creating Outbound Access Policies for Groups The Groups section is used to assign outbound access policies to traffic or services from users in an authenticated groups of users. 2 Click Add new policy. Advanced Firewall does not apply any further policy matching. Note: Once the network traffic matches a policy. The following dialog box opens. or by dragging it to the correct position and clicking Save moves. Advanced Firewall contains a default outbound access policy which uses the Allow all port rule and allows unrestricted outbound access to the Internet. You can reorder outbound access policies to suit your requirements. The policy is added to the list of groups. Advanced Firewall does not apply any further policy matching. select which port rule to use in the outbound access policy. or • the source and/or destination of the traffic. For more information on port rules. If the outbound network traffic or service does not match any policy. 5 Place the policy where it is required by selecting it and using Up or Down. 4 Click Add.

select the port rule to apply. 2 Click Add new Policy. users have a reason to pro-actively authenticate themselves so that they can gain access to an outbound port or service. the user is unknown to the system and a policy cannot be applied.x. Advanced Firewall checks that the traffic does not break the port rule(s) assigned to that source and/or destination.y. Comment Enter a description for the policy.x. Name Enter a name for the policy. For more information. 77 . To create a policy: 1 Browse to the Networking > Outgoing > Policies page. Destination • Any – Any source IP address.x-y.x.x/y). a range (x. Source Configure one of the following to apply the policy to. a range (x.y) or a subnet (x. If a user has not actively authenticated themselves.x. • A single destination IP address.x/y). In such situations.x.y.x. see Working with Port Rules on page 72. using the SSL Login page or by some other authentication method. Port rule From the drop-down list. configure the following settings: Setting Description Status Select to enable the policy.y.x-y.y) or a subnet (x. 3 In the Add new policy dialog box. • A single source IP address. Creating Outbound Access Policies for Traffic from Sources and/or Destinations When the source and/or destination IP addresses of outbound traffic match a policy in the Sources and Destination addresses. Configure one of the following to apply the policy to.y.x.Smoothwall Advanced Firewall Administrator’s Guide Note: Group policies cannot be enforced in all circumstances.x. • Any – Any destination IP address. Group policies are often more suitable for allowing access to ports and services.

. Or. Service rule name Enter a name for the rule. select the service. In the Add a new rule area: Setting Description Destination IP Enter the IP address of the external service to which the rule applies. select User defined. Advanced Firewall does not apply any further policy matching. Note: Once traffic matches a policy. To create an external service rule: 1 Navigate to the Networking > Outgoing > External services page and configure the following settings: Setting Description Service Select Empty from the drop-down list. 2 78 Rejection logging Select to log all traffic rejected by the external services rule Stealth mode Select to allow traffic that would normally be rejected by the external services rule and log all traffic in the firewall logs. See Creating Outbound Access Policies for Traffic from Sources and/or Destinations on page 77 for information on the settings available. 3 Click Save changes to apply the changes and close the dialog box. 5 Place the policy where it is required by selecting it and using Up or Down. 2 In the Edit policy dialog box. make any changes required. point to the rule and select Edit. port range or group of ports. Service From the drop-down menu. enter a single port or port range. to specify a user defined port. Deleting a Policy To delete a policy: 1 On the Networking > Outgoing > Policies page. Managing External Services Note: The External services page has been superseded by the functionality on the Networking > Outgoing > Policies page and has been deprecated. Port If User defined is selected in the Service drop-down menu. port. It will be removed in a future Advanced Firewall update. Protocol Select the protocol used by the service. click Delete to confirm that you want to delete the policy. For example: 1000:1028 covers the range of ports from 1000 to 1028. point to the rule and select Delete. When prompted. The policy is added to the list of sources and destinations. Port ranges are specified using an A:B notation. You can prevent local network hosts from using external services by creating appropriate policies to stop outbound traffic. Click Save.Managing Inbound and Outbound Traffic Managing External Services 4 Click Add. or by dragging the rule to the correct position and clicking Save moves. Editing a Policy To edit a policy: 1 On the Networking > Outgoing > Policies page.

Smoothwall Advanced Firewall Administrator’s Guide 3 Setting Description Comment Enter a description of the rule. Enabled Select to enable the rule. Click Add. The external service rule is added to the Current rules region: Editing and Removing External Service Rules To edit or remove existing external service rules. 79 . use Edit and Remove in the Current rules area.

Managing Inbound and Outbound Traffic Managing External Services 80 .

see the Advanced Firewall Portal User’s Guide. Authentication and User Management on page 193. 81 . Creating a Portal The following section explains how to create a portal and make it accessible to users in a specific group. For information on using a portal. see Chapter 10. Working with Portals Advanced Firewall enables you to create portals which can be configured to make reports and software downloads available and enable users with the correct privileges to ban other users or locations from web browsing.Chapter 8 Advanced Firewall Services In this chapter: • Working with portals • Managing the Web Proxy Service on page 87 • Instant Messenger Proxying on page 93 • Monitoring SSL-encrypted Chats on page 96 • SIP Proxying on page 96 • FTP Proxying on page 99 • Reverse Proxy Service on page 102 • SNMP on page 104 • DNS on page 105 • Censoring Message Content on page 109 • Managing the Intrusion System on page 114 • DHCP on page 119 For information on authentication services.

168. 2 In the Portals area.Advanced Firewall Services Working with Portals To create a user portal and make it available to users: 1 Browse to the Services > User portal > Portals page.141/portal/ 3 Browse to the Services > User portal > Groups page. for example: http:// 192.72. Advanced Firewall creates the portal and makes it accessible on your Advanced Firewall system at. enter a name for the portal and click Save. 82 .

select the group containing the users you want to authorize to use the portal. Advanced Firewall will display the most often viewed reports. 5 Browse to the Services > User portal > Portals page and. Advanced Firewall authorizes the group to use the portal. click Portal Access. Making Reports Available To make reports available on a portal: 1 Browse to the Logs and reports > Reports > Reports page. In the Portal published reports and templates area. It also enables them to request that content reported by the tool as blocked be unblocked by Advanced Firewall’s system administrator. see Chapter 5. The next step is to configure the portal to enable authorized users to use it to download files. see Chapter 10. configure the following settings: Setting Description Enabled Select Enabled. 83 . 2 On the Permissions tab. block other users from accessing the web. Portal From the drop-down menu. Using the Policy Tester on page 58. select the portal you want the group to access. download VPN client files and receive a custom welcome message. select the portal where you want to publish the report and click Add.Smoothwall Advanced Firewall Administrator’s Guide 4 5 Configure the following settings: Setting Description Group From the drop-down menu. in the Portals area. 4 Click Close to close the dialog box. Click Add. 7 Browse to the bottom of the page and click Save to save the settings and make the reports available on the portal. Managing Groups of Users on page 216. locate the report you want to publish on a portal. A dialog box containing report details opens. select the portal on which you want to make reports available and click Select. Configuring a Portal The following sections explain how to configure a Advanced Firewall portal so that authorized users can view reports. select the number of reports you want to display on the portal’s home page. For more information on users and groups. 3 From the Add access drop-down list. Enabling the Policy Tester The policy tester enables portal users to test if a URL is accessible to a user at a specific location and time. manage web access and display reports. Top reports displayed on portal home page From the drop-down list. enable the policy tester. configure the following settings: 6 Setting Description Portals From the drop-down list. For more information.

configure the following settings: Setting Description Enabled Select Enabled. in the list of groups displayed. In the Portal permissions for web access blocking. Enabling Groups to Block Users’ Access You can enable users in a specific group which can access the portal to block individual user web access. To authorize blocking: 1 2 Browse to the Services > User portal > Portals page and. For information on locations. To select non-consecutively listed groups. Enabling Groups to Block Location-based Web Access You can enable users in a specific group which can access a Advanced Firewall portal to block specific locations from accessing the other networks or external connections. To enable a group to block users: 1 2 84 Browse to the Services > User portal > Portals page and. select the portal on which you want to enable groups to block users. Administrator's email address Enter the email address to send the unblock request to. hold down the Shift key while selecting. select the group(s) containing the users that the group is authorized to block from accessing the web. in the Portals area. . Browse to the bottom of the page and click Save to save the settings. In the Portal permissions for web access blocking. configure the following settings: Setting Description Portals From the drop-down list. Working with Location Objects on page 39. configure the following settings: Setting Description Portals From the drop-down list. in the Portals area. configure the following settings: Setting Description Enabled Select Enabled. 3 Browse to the bottom of the page and click Save to save the settings.Advanced Firewall Services Working with Portals To enable the policy tester: 1 2 Browse to the Services > User portal > Portals page and configure the following setting: Setting Description Policy tester Select Enabled. hold down the Ctrl key while selecting. Allow unblock requests Select to allow portal users to send an unblock request to Advanced Firewall’s system administrator. Allow control of groups Select this option and. see Chapter 5. To select consecutively listed groups. select the portal on which you want to authorize groups to block users.

select the group you want to allow access to the portal. Assigning Groups to Portals The following section explains how to assign a group of users to a portal so that they can access it. 2 Configure the following settings: 3 Setting Description Group From the drop-down menu. 2 Browse to the bottom of the page and click Save to save the settings. Configuring a Welcome Message Advanced Firewall enable you to display a customized welcome message when a user visits a portal. Virtual Private Networking on page 127 for information on how to create the archive. To select non-consecutively listed locations. In the text box. in the Welcome message area. To assign a group to a portal: 1 Browse to the Services > User portal > Groups page. Advanced Firewall will allow members of the group to access the specified portal.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Allow control of locations Select this option and. select the portal you want the group to access. select the location(s) that the group is authorized to block from accessing the web. 85 . hold down the Shift key while selecting. Portal From the drop-down menu. in the list of locations displayed. 3 Browse to the bottom of the page and click Save to save the settings. enter a welcome message and/or any information you wish the user to have. Managing Groups of Users on page 216. select SSL VPN client archive download. For more information on groups. Making User Exceptions You can configure Advanced Firewall so that a user uses a specific portal. To display a welcome message on a portal: 1 Browse to the Services > User portal > Portals page and. To make the archive available: 1 In the VPN connection details area. Click Add. Making the SSL VPN Client Archive Available You can configure Advanced Firewall portals to make an SSL VPN client archive available for download on the portal. for example regarding acceptable usage of the portal. To select consecutively listed locations. See Chapter 9. see Chapter 10. configure the following settings: Setting Description Welcome message Select to display the message on the portal. This setting overrides group settings. hold down the Ctrl key while selecting. 2 Browse to the bottom of the page and click Save to save the settings.

select the portal you want the user to access.141/portal/ 2 Accept any certificate and other security information. see the Advanced Firewall Portal User Guide.Advanced Firewall Services Working with Portals To make user exceptions on a portal: 1 Browse to the Services > User portal > User exceptions page. Click Add. 2 From the Portals drop-down list.168. 2 Configure the following settings: 3 Setting Description Username Enter the username of the user you want to access the portal. The portal is displayed. for example: http://192. 3 Make the changes you require. To access a portal: 1 In the browser of your choice.72. Deleting Portals The following section explains how to delete a portal. Advanced Firewall displays the login page for the portal. 3 Enter a valid username and password and click Login. Portal From the drop-down list. 86 . see Configuring a Portal on page 83 for information on the settings available. select the portal you want to edit. Editing Portals The following section explains how to edit a portal. Accessing Portals The following section explains how to access a portal. Advanced Firewall gives the user access to the portal. enter the URL to the portal on your Advanced Firewall system. To edit a portal: 1 Browse to the Services > User portal > Portals page. For more information. 4 Click Save to save the changes.

87 . Advanced Firewall deletes the portal.Smoothwall Advanced Firewall Administrator’s Guide To delete a portal: 1 Browse to the Services > User portal > Portals page 2 From the Portals drop-down list. 3 Click Delete. Managing the Web Proxy Service Advanced Firewall’s web proxy service provides local network hosts with controlled access to the Internet with the following features: • Transparent or non-transparent operation • Caching controls for improved resource access times • Support for automatic configuration scripts • Support for remote proxy servers. select the portal you want to delete.

.Advanced Firewall Services Managing the Web Proxy Service Configuring and Enabling the Web Proxy Service To configure and enable the web proxy service: 1 88 Navigate to the Services > Proxies > Web proxy page.

Larger cache sizes can be specified. The specified size must not exceed the amount of free disk space available. Remote proxy password Enter the remote proxy password when using a remote proxy with user authentication. For slower external connections such as dial-up.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Control Description Cache size Enter the amount of disk space. Max object size Specify the largest object size that will be stored in the proxy cache. This prevents large downloads filling the cache. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. Objects larger than the specified size will not be cached. Web and FTP requests are cached. or accept the default value. The default is no limit. This can be used to prevent excessive and disruptive download activity. Max outgoing size Specify the maximum amount of outbound data that can be sent by a browser in any one request. enter the IP address of a remote proxy in the following format: hostname:port In most scenarios this field will be left blank and no remote proxy will be used. 89 . up to a maximum of around 10 gigabytes – approximately 10000 megabytes for a high performance system with storage capacity in excess of 25 gigabytes. The default is no minimum – this should be suitable for most purposes. Objects smaller than the specified size will not be cached. to allocate to the web proxy service for caching web content. This can be useful for preventing large numbers of tiny objects filling the cache. Min object size Specify the smallest object size that will be stored in the proxy cache. the cache can dramatically improve access to recently visited pages. HTTPS requests and pages including username and password information are not cached. The default is no limit. Max incoming size Specify the maximum amount of inbound data that can be received by a browser in any one request. The default of 4096 K bytes (4 M bytes) should be adjusted to a value suitable for the needs of the proxy end-users. Remote proxy Optionally. Remote proxy username Enter the remote proxy username if using a remote proxy with user authentication. The cache size should be configured to an approximate size of around 40% of the system’s total storage capacity. Used to configure the web proxy to operate in conjunction with a remote web proxy. This limit is independent of whether the data is cached or not. but may not be entirely beneficial and can adversely affect page access times. in MBytes. This can be used to prevent large uploads or form submissions. Larger organizations may wish to use a dedicated proxy or sometimes ISPs offer remote proxy servers to their subscribers.

In normal circumstances such communication would be prevented. or other non-standard HTTP and HTTPS services. Exception local IP addresses are typically used to grant administrator workstations completely unrestricted Internet access. see About Web Proxy Methods on page 91. If any hosts contained in this list try to access the web they will receive an error page stating that they are banned. Enabled Select to enable the web proxy service. This can be used to ensure that old content of frequently updated web sites is not cached. the user’s status is returned by the authentication system as unauthenticated. All requests are automatically redirected through the cache. This is useful for accessing remote a Smoothwall System. Banned local IP addresses Enter any IP addresses on the local network that are completely banned from using the web proxy service. Disable proxy logging Select to disable the proxy logging. Allow admin port access Select to permit access to other network hosts over ports 81 and 441. Note: You can only use proxy authentication if the proxy is operating in nontransparent mode. This can be used to prevent network hosts from browsing without using the proxy server. Groups Authenticated users can be selectively granted or denied access to the web allowed to use proxy service according to their authentication group membership. In nontransparent mode. Enter domain names without the www. web proxy Proxy access permissions are only applied if an authentication method other than No user authentication has been selected. through the proxy. For more information. one entry per line.Advanced Firewall Services Managing the Web Proxy Service Control Description Transparent Select to enable transparent proxying. it is possible to partially bypass the admin access rules on the System > Administration > Admin options page. prefix. Exception local IP addresses Enter any IP addresses on the local network that should be completely exempt from authentication restrictions. The username and password details are encoded in all future page requests made by the user's browser software. When operating in transparent mode. network hosts and users do not need to configure their web browsers to use the web proxy. This would allow internal network hosts to access the admin logon prompt via the proxy. Proxy Select to allow users to access the web proxy service according to the username authentication and password that they enter when prompted by their web browser. 90 . If the user has not been authenticated by any other authentication mechanism. Note: By selecting this option. Do not cache Enter any domains that should not be web cached. Core Select to allow users to access the web proxy service by asking the authentication authentication system whether there is a known user at a particular IP address. No user Select to allow users to globally access the web proxy service without authentication authentication. proxy server settings (IP address and port settings) must be configured in all browsers.

Save and restart the web proxy service by clicking Save and Restart or Save and Restart with cleared cache. Transparent Proxying If Advanced Firewall's web proxy service has been configured to operate in transparent mode. the proxy address and port settings to browser proxy be used when manually configuring end-user browsers are displayed here. About Web Proxy Methods The following sections discuss the types of web proxy methods supported by Advanced Firewall. all HTTP port 80 requests will be automatically redirected through the proxy cache. 91 . settings Interfaces 3 Select the interface for the web proxy traffic. Manual web After enabling and restarting the service. The web proxy will be restarted with any configuration changes applied.Smoothwall Advanced Firewall Administrator’s Guide Control Description Automatic configuration script custom direct hosts Enter any additional hosts required to the automatic configuration script’s list of direct (non-proxy routing) hosts. If you are having problems with transparent proxying. script address Note: Microsoft Internet Explorer provides only limited support for automatic configuration scripts. Note: Save and Restart with cleared cache – Used to save configuration changes and empty the proxy cache of all data. Note: Browsers must be configured to access the automatic configuration script to receive this list of direct routing hosts Use automatic After enabling and restarting the service. Non-Transparent Proxying If Advanced Firewall’s web proxy service has not been configured to operate in transparent mode. all end-user browsers on local workstations in Advanced Firewall network zones must be configured. the automatic configuration script configuration location is displayed here. end-user browsing will be suspended and any currently active downloads will fail. During this time. Note: Restarting may take up to a minute to complete. check that the following settings are not configured in end-user browsers: • Automatic configuration • Proxy server. Smoothwall recommends the use of Mozilla-based browsers when using the automatic configuration script functionality. All hosts listed will be automatically added to a browser's Do not use proxy server for these addresses proxy settings if they access the automatic configuration script for their proxy settings. Tests by Smoothwall indicate a number of intermittent issues regarding the browser’s implementation of this feature. This is useful when cache performance has been degraded by the storage of stale information – typically from failed web-browsing or poorly constructed web sites. It is a good idea to a restart when it is convenient for the proxy end-users. This is useful for internal web servers such as a company intranet server.

3 Configure the following settings: Method: To configure: Manual 1 In the Proxy server area. The configuration script is automatically generated by Advanced Firewall and is accessible to all network zones that the web proxy service is enabled on. 2 On the Connections tab. . 5 Click OK and OK to save the settings. enter the IP address of your Advanced Firewall and any other IP addresses to content that you do not want filtered. Enter the location of the script.141/ proxy. 4 In the Exceptions area. The location is displayed on the Services > Proxies > Web proxy page. and from the Tools menu. for example: http://192.YOURDOMAINNAME added.pac. select Use automatic configuration script.pac. click LAN settings. 92 3 Ensure that no other proxy settings are enabled or have entries. This information is displayed on the Services > Proxies > Web proxy page. Configuring End-user Browsers The following steps explain how to configure web proxy settings in the latest version of Internet Explorer available at the time of writing.72. proxy.168. 3 Click Advanced to access more settings. for example. select Use a proxy server for your LAN … 2 Enter your Advanced Firewall's IP address and port number 800. your intranet or local wiki. in the Automatic configuration script area. 4 Click OK and OK to save the settings.Advanced Firewall Services Managing the Web Proxy Service You can configure browser settings: • Manually – Browsers are manually configured to enable Internet access. • Automatically using a configuration script – Browsers are configured to receive proxy configuration settings from an automatic configuration script. select Internet Options. in the Automatic configuration script area. To configure Internet Explorer: 1 Start Internet Explorer. 1 Automatic configuration script 2 In the Automatic configuration area. • WPAD automatic script – Browsers are configured to automatically detect proxy settings and a local DNS server or Advanced Firewall static DNS has a host wpad.

The file tells the browser what proxy settings it should use. Web Proxy Auto-Discovery (WPAD) prepends the hostname wpad to the front of its fully qualified domain name and looks for a web server on port 80 that can supply it a wpad.cypherpunks. select Automatically detect settings. Advanced Firewall can also censor instant messaging content. 2 Click OK and OK to save the settings. Microsoft Knowledge Base article Q252898 suggests that the WPAD method does not work on Windows 2000. such as provided by Off-the-Record Messaging (http:// www.dat file. However.YOURDOMAINNAME substituting your domain name. They suggest that you should use a DHCP auto-discovery method using a PAC file. add the host wpad. for more information. When enabled in end-user browsers. using SSL Intercept. see below.ca/otr/). 1 In the Automatic configuration area.Smoothwall Advanced Firewall Administrator’s Guide Method: To configure: WPAD Note: This method is only recommended for administrators familiar with configuring web and DNS servers. Note: Advanced Firewall cannot monitor IM sessions within HTTP requests. See the article for more information. This is contrary to some of our testing. see Censoring Message Content on page 109. However. such as when Microsoft MSN connects through an HTTP proxy. 93 . Note: PCs will have had to be configured with the same domain name as the A record for it to work. The host must resolve to the Advanced Firewall IP. Instant Messenger Proxying Advanced Firewall’s Instant Messenger (IM) proxy service can log the majority of IM traffic. Neither can Advanced Firewall intercept conversations which are secured by end-to-end encryption. Advanced Firewall can monitor Jabber/Google Talk and AIM sessions protected by SSL. 3 On a local DNS server or using Advanced Firewall static DNS.

.Advanced Firewall Services Instant Messenger Proxying To configure the instant messaging proxy service: 1 Browse to the Services > Proxies > Instant messenger page. 2 Configure the following settings: 94 Setting Description Enabled Select to enable the instant messaging proxy service.

Advanced Firewall censors unsuitable words by replacing them with *s. Number of current entries – Displays the number of entries currently in the whitelist user list. or accept the default message. this message is displayed at 15 minute intervals. Hide conversation text Select this option to record instant message events. Currently. Automatic whitelisting Settings here enable you to control who can instant message your local users. Once added to the white-list. Logging warning response message Optionally. White-list users To whitelist a user. Black-list users To blacklist a user. see Monitoring SSL-encrypted Chats on page 96.com. 95 . AIM and Yahoo IM protocols. enter their instant messaging ID. Clear Automatic Whitelisted user list – Click to clear the white-list. This option does not work with the ICQ/AIM protocol. this setting blocks files transferred using MSN. Enabled on interfaces Select the interfaces on which to enable IM proxying. MSN Select to proxy and monitor Microsoft Messenger conversations.com. AIM and ICQ Select to proxy and monitor ICQ and AIM conversations. Block all filetransfers Select this option to block file transfers using certain IM protocols. but to discard the actual conversation text before logging. Note: This option does not work with the ICQ/AIM protocol. Blocked response Select to inform IM users that their message or file transfer has been blocked. If multiple messages or files are blocked. when enabled. see Censoring Message Content on page 109.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Enable Message Censor Select to enable censoring of words usually considered unsuitable. For more information. enter a message to display informing users that their conversations are being logged. the remote user and the local use can instant message each other freely. This message is displayed once a week. for example JohnDoe@hotmail. Logging warning response Select to inform IM users that their conversation is being logged. Blocked response message Optionally. Intercept SSL Select to monitor conversations on Google Talk or AIM instant messaging clients which have SSL mode enabled. For more information. such as messages in and out. any remote users who are not on the white-list are automatically blocked. enter a message to display when a message or file is blocked. ICQ. enter their instant messaging ID. GaduGadu Select to proxy and monitor GaduGadu conversations. When this option selected. Block unrecognized remote users – Select this option to automatically add a remote user to the white-list when a local user sends them an instant message. Yahoo Select to proxy and monitor Yahoo conversations. Jabber Select to proxy and monitor conversations which use the Jabber protocol. for example JaneDoe@hotmail.

is not NAT friendly.Advanced Firewall Services Monitoring SSL-encrypted Chats 3 Setting Description Exception local IP addresses To exclude specific IP addresses. it is an RealTime Protocol (RTP) session that is set up. In the case of VoIP. Monitoring SSL-encrypted Chats Advanced Firewall can monitor Google Talk and AIM instant message (IM) chats which use SSL for encryption. and one which the client users for access. one to which the client will register. Advanced Firewall’s SIP proxy ensures that RTP is also proxied. Some clients will allow users to configure one SIP proxy – this is invariably the registering proxy. SIP normally operates on port 5060. others will allow for two proxies. and a pass-through proxy. and. 2 Select Intercept SSL. A pass-through proxy merely rewrites the SIP packets such that the correct IP addresses are used and the relevant RTP ports can be opened. Types of SIP Proxy There are two types of SIP proxy: a registering SIP proxy. solving some of the problems involved in setting up VoIP behind NAT. To monitor SSL-encrypted conversations: 1 Browse to the Services > Proxies > Instant messenger page. Enable IM proxying and configure the settings you require. Advanced Firewall’s SIP proxy is also able to proxy RTP traffic. see Instant Messenger Proxying on page 93. Advanced Firewall will now monitor and log the chats. select the interfaces on which to enable the monitoring and click Save. 3 Click Export Certificate Authority certificate. 96 . 4 Download and install the certificate on PCs which use Google Talk and SSL-enabled AIM IM clients. a pass-through. For this reason. For full information on the settings available. Advanced Firewall generates a Advanced Firewall CA certificate. SIP Proxying Advanced Firewall supports a proxy to manage Session Initiation Protocol (SIP) traffic. and it is the RTP stream that carries voice data. and is used to set up sessions between two parties. allowing VoIP products to work correctly. SIP is often used to set up calls in Voice over Internet Protocol (VoIP) systems. RTP operates on random unprivileged ports. enter them here. as such. A registering proxy or registrar allows SIP clients to register so that they may be looked up and contacted by external users. Note: Using Network Guardian to monitor SSL-encrypted IM chats reduces security on IM clients as the clients are unable to validate the real IM server certificate. Click Save to save and implement your settings.

transparent mode is not required. the SIP proxy can be used in transparent mode. errors and informational messages Very detailed – Everything. Logging Select the logging level required. SIP client internal interface From the drop-down list. Maximum number of clients Select the maximum number of clients which can use the proxy. Log calls Select if you require individual call logging. select the interface for the SIP proxy to listen for connections on. Setting the maximum number of clients is a useful way to prevent malicious internal users performing a DoS on your registering proxy. This mode is useful for those clients which do not support a second proxy within their configuration. so a mixture of operation is possible. 97 . the proxy is only useful as a pass-through. the non-transparent proxy is still available. In transparent mode. Select from: Normal – Just warnings and errors Detailed – Warnings. 2 Configure the following settings: Setting Description Enabled Select to enable the SIP proxy service. This is the interface on which you will place your SIP clients. If the proxy is operating in transparent mode. including debugging messages. If all your clients can be properly configured with a second proxy. Configuring SIP To configure and enable the SIP proxy: 1 Browse to the Services > Proxies > SIP page.Smoothwall Advanced Firewall Administrator’s Guide Choosing the Type of SIP Proxying As with many types of proxy.

Transparent The SIP proxy may be configured in both transparent and non-transparent mode. Smoothwall’s Quality of Service (QoS) module if it is installed. the SIP proxy is not used as a registrar. Select this option if you require a transparent SIP proxy. and can also be acted upon by SmoothTraffic. but will allow internal SIP devices to communicate properly with an external registrar such as an ITSP. In this way. as it may occur on a wide range of ports. Exception IPs 3 Hosts which should not be forced to use the transparent SIP proxy must be listed in the Exception IPs box below. When operating transparently. select a Diffserv mark to apply to SIP RTP packets. This is useful because it is otherwise quite tricky to define RTP traffic. traffic passing through the firewall may be prioritized to give a consistent call quality to VoIP users.Advanced Firewall Services SIP Proxying Setting Description Diffserv mark for RTP packets From the drop-down menu. The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for which it proxies. Click Save to enable and implement SIP proxying. The standard mark is BE which is equivalent to doing nothing. the existing users may fail to use the transparent proxy until the firewall is rebooted. This is due to the in-built connection tracking of the firewall’s NAT. Prioritizing SIP traffic on port 5060 would not make any difference to VoIP calls. Note: If a client is using the proxy when transparent proxying is turned on. Other marks may be interpreted by upstream networking equipment. such as that at your ISP. if it is installed. 98 . This traffic can be traffic shaped with SmoothTraffic.

You configure this on the System > Administration > External access page. Configuring non-Transparent FTP Proxying The following section explains how to configure FTP proxying in non-transparent mode. 99 . Proxy port From the drop-down list. Configuring External Access on page 273 for more information.Smoothwall Advanced Firewall Administrator’s Guide FTP Proxying Advanced Firewall provides you with a proxy to manage FTP traffic and also makes transparent proxying possible. Note: The port you select must be open for the FTP client. Note: For performance reasons. Anti-malware scanning Select to scan files for malware. See Chapter 13. 2 Configure the following settings: Setting Description Status Select Enabled to enable the FTP proxy. select the port for FTP traffic. files larger than 100 MB are not scanned for malware. 1 Browse to the Services > Proxies > FTP page.

company. . Remote username Enter the username in the following format: remoteusername@remoteftpserver Configuring Transparent FTP Proxying To configure transparent FTP proxying: 1 100 Browse to the Services > Proxies > FTP page.2. 3 Click Save changes to save the settings and enable non-transparent FTP proxying. Enter one hostname or IP.3.com or 1.Advanced Firewall Services FTP Proxying Setting Description Access control Allow connections to Select to allow FTP connections to all servers. colon and port per line.4 If no information is listed. all hostnames on all ports will be accessible. for example: ftp. any server Only connections to specified servers Select to specify which remote FTP connections are allowed and configure the following: Remote FTP server white-list – Enter the hostname or IP address of any remote FTP servers you want to white-list. 4 Configure FTP clients as follows: Setting Description Remote host Enter Advanced Firewall’s hostname or IP address. See Configuring non-Transparent FTP Proxying on page 99 for more information. either 21 or 2121. Remote port Enter the FTP proxy port configured on Advanced Firewall.

Anti-malware scanning Select to scan files for malware. Transparently proxy only the following IPs Select to transparently FTP proxy for the source IPs specified.com or 1. Configuring External Access on page 273 for more information. all hostnames on all ports will be accessible. Access control Allow connections to Select to allow FTP connections to all servers.2.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Status Select Enabled to enable the FTP proxy.3.company. Note: For performance reasons.2. for example: 1.3. Enter one IP address per line.3. You configure this on the System > Administration > External access page. files larger than 100 MB are not scanned for malware.4 Transparently proxy all except the following IPs Select to transparently FTP proxy all except the source IPs specified.4 If no information is listed.2. See Chapter 13. Proxy port From the drop-down list. colon and port per line. Note: The port you select must be open for the FTP client.4 101 . Enter the IP addresses of local machines which are to be excluded from transparent FTP proxying. for example: ftp. select the port for FTP traffic. configure the following settings: Setting Description Source IPs Transparently proxy all IPs Select to transparently FTP proxy for all source IPs. for example: 1. any server Only connections to specified servers Select to specify which remote FTP connections are allowed and configure the following: Remote FTP server white-list – Enter the hostname or IP address of any remote FTP servers you want to white-list. Enter the IP addresses of local machines which are to be allowed access to transparent FTP proxying. Enter one IP address per line. Enter one hostname or IP. 3 In the Transparent proxy settings area.

2. • Provides the ability to publish Microsoft Exchange services such as Outlook Web Access (OWA) and Outlook Anywhere (previously RPC over HTTPS) • Monitors traffic passing through the reverse proxy • Increases server efficiency by SSL off-loading. When running Advanced Firewall’s FTP proxy in transparent mode. you do not need to configure FTP client applications.3. The reverse proxy service: • Provides the ability to route multiple HTTP and HTTPS sites to each of their own internal servers. Enter the IP addresses of the machines which are to be excluded from transparent FTP proxying. Reverse Proxy Service Advanced Firewall’s reverse proxy service enables you to control requests from the Internet and forward them to servers in an internal network.4 Transparent proxy interfaces 4 Select the interface on which to transparently proxy FTP traffic.2. Enter the IP addresses of the machines which are to be allowed access to transparent FTP proxying. Click Save changes to save the settings and enable transparent FTP proxying. for example: 1. • Improves web server security using intrusion prevention system (IPS). Enter one IP address per line.Advanced Firewall Services Reverse Proxy Service Setting Description Destination IPs Transparently proxy all IPs Select to transparently FTP proxy for all destination IPs. for example: 1.4 Transparently proxy all except the following IPs Select to transparently FTP proxy all except the destination IPs specified.3. Transparently proxy only the following IPs Select to transparently FTP proxy for the destination IPs specified. Enter one IP address per line. 102 .

Note: The certificate and key files must be distinct and separate and they must be in the unencrypted PEM format. 2 Key – Click the Choose file/Browse button and browse to and select the key. Select one of the following options to specify the SSL certificate to use: Built-in – Select this option to use Advanced Firewall’s built in SSL certificate. configure the following settings: Setting Description Reverse proxy Select one of the following settings: Enable – Select to enable the service. Click Upload to upload the certificate. Disable – Select to disable the service. 103 . Custom certificate – Select this option to upload a custom certificate and key file. SSL certificate The reverse proxy service caters for HTTPS sites using an SSL certificate. Tip: You can use the XCA certificate and key management client to import and export your SSL certificates and key files in any standard format. To upload a custom certificate and key: 1 Certificate – Click the Choose file/Browse button and browse to and select the certificate.Smoothwall Advanced Firewall Administrator’s Guide Configuring the Reverse Proxy Service The following sections explain how to enable. 2 In the Global options area. configure and deploy the reverse proxy service. To enable. Click Upload to upload the certificate. configure and deploy the reverse proxy service: 1 Navigate to the Services > Proxies > Reverse proxy page.

g. location and contact information • Live TCP and UDP connection tables • Detailed network interface and usage statistics • Network routing table • Disk usage information • Memory usage information.com or http://example. If no port is specified. 192. Failback internal address 4 Enter the IP address. http://192. specify it as: . For more information. Note: When configuring: www. 5 Click Save. In the Manage rule area. this enables you to specify custom destination ports for various internal web servers. To use a wildcard.g.168.1. typically for centralized administrative purposes. http:// 192. Advanced Firewall enables and deploys the reverse proxy service and lists it in the Rules area. You can also enter a path to the site you want to publish in the URL. e. http:// .1. e. they are treated as distinct and separate sites. including the following: • System name. description.1.168. https://www. e. It is used to enable a network-attached device to be monitored. In SNMP terminology.1.1.com. Advanced Firewall can be regarded as a managed device when the SNMP service is enabled. https://192. Select Enable apply to apply an enabled IPS policy.example.example. of the web server to failback to. undesired access and denial of service. click Advanced and configure the following settings: Setting Description Intrusion prevention Advanced Firewall’s intrusion prevention system (IPS) policies stop intrusions such as known and zero-day attacks.1 or IP address and port. if a request does not match an address already configured. configure and deploy more rules.168. configure the following settings: Setting Description Name Enter a descriptive name for the reverse proxy rule. domain or IP address of the site you want to publish in the following format: http://example.168.com/path/ You must include http or https in the address. Advanced Firewall’s SNMP service operates as an SNMP agent that gathers all manner of system status information. Click Save to save the global options.com.example.1:1234 A port number is optional on the internal address. unless you use a wildcard for the domain. see Managing the Intrusion System on page 114. The SNMP service allows all gathered management data to be queried by any 104 . External address Enter the URL.com and example. 6 Repeat the steps above to enable.1:1234.com/.168.example. SNMP Simple Network Management Protocol (SNMP) is part of the IETF’s Internet Protocol suite.Advanced Firewall Services SNMP 3 Optionally. Advanced Firewall will default to 80 for HTTP sites and 443 for HTTPS sites.com Internal address Enter the protocol with the IP address or IP address and port of the web server. 192.g.1.1.

For specific details about how to view all the information made accessible by Advanced Firewall’s SNMP service. 2 Select Enabled and enter the SNMP community password into the Community text field. 105 . remote access permissions for the SNMP service must be configured.Smoothwall Advanced Firewall Administrator’s Guide SNMP-compatible NMS (Network Management System) devices. a third-party SNMP management tool is required. DNS The following sections discuss domain name system (DNS) services in Advanced Firewall. please refer to the product documentation that accompanies your preferred SNMP management tool. The default value public is the standard SNMP community. Note: To access the SNMP service. Adding Static DNS Hosts Advanced Firewall can use a local hostname table to resolve internal hostnames. 3 Click Save. To enable and configure the SNMP service: 1 Navigate to the Services > SNMP > SNMP page. Note: To view information and statistics provided by the system's SNMP service. Note: Advanced Firewall itself can resolve static hostnames regardless of whether the DNS proxy service is enabled. For further information. Configuring Administration and Access Settings on page 272. that is a member of the same SNMS community. see Chapter 13. This allows the IP addresses of a named host to be resolved by its hostname. The Community field is effectively a simple password control that enables SNMP devices sharing the same password to communicate with each other.

if an external connection is available. Hostname Enter the hostname that you would like to resolve to the IP address. 106 . Comment Enter a description of the host. 2 Configure the following settings: 3 Setting Description IP address Enter the IP address of the host you want to be resolved. Enabled Select to enable the new host being resolved. In this mode. in addition to any local names that have been defined in the Advanced Firewall’s static DNS hosts table. Click Add. use Edit and Remove in the Current hosts area. Enabling the DNS Proxy Service The DNS proxy service is used to provide internal and external name resolution services for local network hosts.Advanced Firewall Services DNS To add a static DNS host: 1 Navigate to the Services > DNS > Static DNS page. The static host is added to the Current hosts table. Editing and Removing Static Hosts To edit or remove existing static hosts. local network hosts use Advanced Firewall as their primary DNS server to resolve external names.

Note: If the DNS proxy settings were configured as 127.com ods. Click Save.org (Custom) dyndns.org ez-ip. Any such filtering would prevent SIP. the system will use the DNS proxy for name resolution. select this setting to stop the DNS proxy from filtering out SRV & SOA records. 2 Configure the following settings: 3 Setting Description Interfaces Select each interface that should be able to use the DNS proxy. 107 .cx no-ip.com Many of these service providers offer a free of charge. Dynamic host rules are used to automatically update leased DNS records by contacting the service provider whenever the system's IP address is changed by the ISP.0. Kerberos and other services from functioning. The following dynamic DNS service providers are supported: DNS service providers dhs. Advanced Forward SRV & SOA records – Optionally. in order to enable consistent routing to Advanced Firewall from the Internet.com dyndns.org easydns. The dynamic DNS service can operate with a number of third-party dynamic DNS service providers.0.org (Dynamic) dyndns.Smoothwall Advanced Firewall Administrator’s Guide To enable the DNS proxy service on a per-interface basis: 1 Navigate to the Services > DNS > DNS Proxy page.1 during the initial installation and setup process of Advanced Firewall. basic service.org (Static) dyns.org hn.net zoneedit. Managing Dynamic DNS Advanced Firewall’s dynamic DNS service is useful when using an external connection that does not have a static IP.

com and the system is behind a web proxy. it must be selected from their web site. Username Enter the username registered with the dynamic DNS service provider. select your dynamic DNS service provider. Forcing a Dynamic DNS Update The dynamic DNS service will update the DNS records for the host whenever the host’s IP address changes.domain. Editing and Removing Dynamic Hosts To edit or remove existing dynamic hosts. 2 Configure the following settings: Setting Description Service From the drop-down list. However.org will both resolve to the same IP. Hostname Enter the hostname registered with the dynamic DNS service provider. Comment Enter a description of the dynamic DNS host. The dynamic host will be added to the Current hosts table. Enabled Select to enable the service. it may be necessary on some occasions to forcibly update the service provider's records. Note: This option cannot be used with no-ip. for example domain. . Password Enter the password registered with the dynamic DNS service provider. Behind a proxy Select if your service provider is no-ip. 3 Domain Enter the domain registered with the dynamic DNS service provider. Note: This is not necessary when using dyndns. Enable wildcards Select to specify that sub-domains of the hostname should resolve to the same IP address.org and sub.dyndns.org as the service provider. use Edit and Remove in the Current hosts area.com. To force an update: 1 108 Click Force update.dyndns. Click Add.Advanced Firewall Services DNS To create a dynamic host: 1 Navigate to the Services > DNS > Dynamic DNS page.

Managing Custom Categories Custom categories enable you to add phrases which are not covered by the default Advanced Firewall phrase lists. an action. for more information. modify. and may suspend the user accounts of users they deem to be abusing their service. block and/or log content in messages. for more information. Configuration Overview Configuring an message censor policy entails: • Defining custom categories required to cater for situations not covered by the default Advanced Firewall phrase lists. for more information. The following sections explain how to create.Smoothwall Advanced Firewall Administrator’s Guide Note: Dynamic DNS service providers do not like updating their records when an IP address has not changed. see Creating Filters on page 111 • Configuring and deploying a policy consisting of a filter. see Setting Time Periods on page 110 • Configuring filters which classify messages by their textual content. Creating Custom Categories The following section explains how to create a custom category. edit and delete custom categories. Censoring Message Content Advanced Firewall enables you to create and deploy policies which accept. a time period and level of severity. see Creating and Applying Message Censor Policies on page 113. 109 . To create a custom category: 1 Browse to the Services > Message censor > Custom categories page. see Creating Custom Categories on page 109 • Configuring time periods during which policies are applied.

Comment Optionally. 2 In the Current categories area. 3 Click Add. 2 In the Current categories area. click Restart to apply the changes. using the format: (example-exact-phrase) – Advanced Firewall matches exact phrases without taking into account possible spelling errors. edit and/or delete phrases. Editing Custom Categories The following section explains how to edit a custom category. Deleting Custom Categories The following section explains how to delete custom categories. click Add to save your changes. in brackets. (example-approximate-phrase)(2) – For the number specified. Setting Time Periods You can configure Advanced Firewall to apply policies at certain times of the day and/or days of the week. To edit a custom category: 1 Browse to the Services > Message censor > Custom categories page. Enter one phrase. per line. 3 At the top of the page. To delete custom categories: 1 Browse to the Services > Message censor > Custom categories page. 110 . add. 4 At the top of the page.Advanced Firewall Services Censoring Message Content 2 Configure the following settings: Setting Description Name Enter a name for the custom category. enter a description of the category. Advanced Firewall adds the custom category to the current categories list and makes it available for selection on the Services > Message censor > Filters page. click Restart to apply the changes. select the category and click Edit. Phrases Enter the phrases you want to add to the category. When finished. select the category or categories and click Remove. Advanced Firewall uses ‘fuzzy’ matching to take into account that number of spelling mistakes or typographical errors when searching for a match. 3 In the Phrases area.

Name Enter a name for the time period. 2 Configure the following settings: 3 Setting Description Active from – to From the drop-down lists. To edit a time period: 1 Browse to the Services > Message censor > Time page. Advanced Firewall supplies a default filter. Deleting Time Periods The following section explains how to delete time periods. enter a description of the time period. edit the settings. 3 In the Time period settings. Advanced Firewall creates the time period and makes it available for selection on the Services > Message censor > Policies page. select the time and click Edit. 4 At the top of the page. for more information. When finished. To delete time periods: 1 Browse to the Services > Message censor > Time page. Editing Time Periods The following section explains how to edit a time period. 2 In the Current time periods area. select the period(s) and click Remove. 3 At the top of the page. Select the weekdays when the time period applies. 2 In the Current time periods area. Comment Optionally. click Add to save your changes. You can create. see Creating Custom Categories on page 109. set the time period. click Restart to apply the changes. You can also create custom categories of phrases for use in filters.Smoothwall Advanced Firewall Administrator’s Guide To set a time period: 1 Browse to the Services > Message censor > Time page. click Restart to apply the changes. 111 . edit and delete filters. Creating Filters Advanced Firewall uses filters to classify messages according to their textual content. Click Add.

2 Configure the following settings: 3 Setting Description Name Enter a name for the filter. 4 At the top of the page.Advanced Firewall Services Censoring Message Content To create a filter: 1 Browse to the Services > Message censor > Filters page. edit the settings. Advanced Firewall creates the filter and makes it available for selection on the Services > Message censor > Policies page. 2 In the Current filters area. 3 At the top of the page. select the filter(s) and click Remove. click Restart to apply the changes. Comment Optionally. Click Add. click Add to save your changes. click Restart to apply the changes. 2 In the Current filters area. Custom phrase list Select the categories you want to include in the filter. change or delete categories in a filter. 112 . select the filter and click Edit. Deleting Filters You can delete filters which are no longer required. To edit a filter: 1 Browse to the Services > Message censor > Filters page. When finished. enter a description of the filter. 3 In the Custom phrase list area. To delete filters: 1 Browse to the Services > Message censor > Filters page. Editing Filters You can add.

113 . select a filter to use. A policy consists of a filter. Configuring the Inappropriate Word in IM Monitor Alert on page 232 for more information. enter a description of the policy. select a time period to use. To create and apply a censor policy: 1 Browse to the Services > Message censor > Policies page. see Creating Filters on page 111. Comment Optionally. Censor – Content which is matched by the filter is masked but the message is delivered to its destination. select one of the following options: IM proxy incoming – Select to apply the policy to incoming instant message content. Action From the drop-down menu. Allow – Content which is matched by the filter is allowed and is not processed by any other filters. Time period From the drop-down menu. Filter From the drop-down menu. For more information on filters.Smoothwall Advanced Firewall Administrator’s Guide Creating and Applying Message Censor Policies The following section explains how to create and apply a censor policy for message content. a time period and a level of severity. See Chapter 12. Enabled Select to enable the policy. Click Select to update the policy settings available. see Setting Time Periods on page 110. select a level to assign to the content if it violates the policy. select one of the following actions: Block – Content which is matched by the filter is discarded. you can configure Advanced Firewall to send an alert if the policy is violated. 2 Configure the following settings: Setting Description Service From the drop-down menu. Categorize – Content which is matched by the filter is allowed and logged. an action. For more information on filters. IM proxy outgoing – Select to apply the policy to outgoing instant message content. From the drop-down list. or accept the default setting. Log severity level Based on the log severity level.

click Restart to apply the changes. Deleting Policies You can delete policies which are no longer required. 2 In the Current policies area. To edit a policy: 1 Browse to the Services > Message censor > Policies page. 3 Edit the settings as required. All violations are logged and the logged data can be used to strengthen the firewall by creating IP block rules against identified networks and source IPs. Advanced Firewall comes with a number of intrusion policies which you can deploy immediately. click Restart to apply the changes. Editing Polices You can add. This limitation will be removed as soon as possible. The default policies will change as emerging threats change and will be updated regularly. at the top of the page. Advanced Firewall can detect a vast array of wellknown service exploits including buffer overflow attempts. click Restart to apply the policy. select the policy or policies and click Remove. 3 At the top of the page. When finished. About the Default Policies By default. 4 At the top of the page.Advanced Firewall Services Managing the Intrusion System 3 Click Add and. 114 . port scans and CGI attacks. select the policy and click Edit. 2 In the Current policies area. Note: Currently. it is not possible to deploy Advanced Firewall intrusion prevention policies and run SmoothTraffic at the same time. To delete policies: 1 Browse to the Services > Message censor > Services > Message censor > Policies page. Advanced Firewall applies the policy and adds it to the list of current policies. change or delete a policy. Deploying Intrusion Detection Policies Advanced Firewall’s default policies enable you to deploy intrusion detection immediately to identify threats on your network. Contact your Smoothwall representative if you need more information. see Creating and Applying Message Censor Policies on page 113 for information on the settings available. Managing the Intrusion System Advanced Firewall’s intrusion system performs real-time packet analysis on all network traffic in order to detect and prevent malicious network activity. click Add to save your changes.

2 In the Current IDS policies area. Contact your Smoothwall representative if you need more information. 3 Interface From the drop-down list. undesired access and denial of service. Comment Enter a description for the policy Enabled Select this option to enable the policy. Deploying Intrusion Prevention Policies Note: Currently. See About the Default Policies on page 114 for more information on the policies available. select the policy you want to deploy. This limitation will be removed as soon as possible. Removing Intrusion Detection Policies To remove an intrusion detection policy from deployment: 1 Browse to the Services > Intrusion system > IDS page. Advanced Firewall removes the policy.Smoothwall Advanced Firewall Administrator’s Guide To deploy an intrusion detection policy: 1 Browse to the Services > Intrusion system > IDS page. it is not possible to deploy Advanced Firewall intrusion prevention policies and run SmoothTraffic at the same time. select the interface on which you want to deploy the policy. 3 Click Remove. Click Add. 115 . Creating Custom Policies on page 117. see Chapter 8. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network. 2 Configure the following settings: Setting Description IDS Policy From the drop-down list. select the policy you want to remove. Advanced Firewall deploys the policy and lists it in the Current IDS policies area. Advanced Firewall enables you to deploy intrusion prevention policies to stop intrusions such as known and zero-day attacks.

see Chapter 8. Creating Custom Policies on page 117. select the policy you want to deploy. 2 In the Current IPS policies area. 116 . 3 Comment Enter a description for the policy Enabled Select this option to enable the policy. 2 Configure the following settings: Setting Description IPS Policy From the drop-down list. Click Add. select the policy you want to remove. See About the Default Policies on page 114 for more information on the policies available.Advanced Firewall Services Managing the Intrusion System To deploy an intrusion prevention policy: 1 Browse to the Services > Intrusion system > IPS page. Removing Intrusion Prevention Policies To remove an intrusion prevention policy from deployment: 1 Browse to the Services > Intrusion system > IPS page. Advanced Firewall lists the policy in the Current IPS policies area. 3 Click Remove. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network. Advanced Firewall removes the policy.

Advanced Firewall contains a number of policies which you can deploy to detect and prevent intrusions. To create a custom policy: 1 Browse to the Services > Intrusion system > Policies page. 117 . It is also possible to create custom policies to suit your individual network.Smoothwall Advanced Firewall Administrator’s Guide Creating Custom Policies By default.

Click Upload to upload the file. To upload custom signatures: 1 Navigate to the Services > Intrusion system > Signatures page. 2 Configure the following settings: 3 Setting Description Name Enter a name for the policy you are creating. Comment Enter a description for the custom policy. Advanced Firewall creates the policy and lists it in the Current policies area. For more information. For information on how to add custom signatures. Uploading Custom Signatures Advanced Firewall enables you to upload custom signatures and/or Sourcefire Vulnerability Research Team (VRT) signatures and make them available for use in intrusion detection and prevention policies. 118 . seeDeploying Intrusion Detection Policies on page 114 andDeploying Intrusion Prevention Policies on page 115. Click Add. Advanced Firewall uploads the file and makes it available for inclusion in detection and prevention policies on the Services > Intrusion system > Policies page. try upgrading to the latest version of your browser to speed up the process. select the signatures you want to include in the policy. The policy is now available when deploying intrusion detection and intrusion prevention policies.Advanced Firewall Services Managing the Intrusion System Tip: If the list of signatures takes some time to load. 2 Configure the following settings: Setting Description Custom signatures Click Browse to locate and select the signatures file you want to upload. Note: Use custom signatures with caution as Advanced Firewall cannot verify custom signature integrity. Signatures From the list. see Uploading Custom Signatures on page 118.

see Deploying Intrusion Detection Policies on page 114 and Deploying Intrusion Prevention Policies on page 115. For information on deploying intrusion policies.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Use syslog for Intrusion logging Select this option to enable logging intrusion events in the syslog. To delete custom signatures: 1 On the Services > Intrusion system > Signatures page. with the following capabilities: • Support for 2 DHCP subnets • Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet • Automate the creation of static assignments using the ARP cache. If there are detection or prevention policies which use custom signatures. 2 Advanced Firewall prompts you to confirm the deletion. Deleting Custom Signatures It is possible to delete custom signatures that have been made available on the Services > Intrusion system > Policies page. DHCP Advanced Firewall's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to automatically obtain IP address and other network settings. 3 Click Save. Click Confirm. Click Update to update and apply the latest signature set. Advanced Firewall downloads the signature set and makes it available for inclusion in detection and prevention policies on the Services > Intrusion system > Policies page. Advanced Firewall DHCP provides a fully featured DHCP server. Oink code If you have signed-up with Sourcefire to use their signatures. Advanced Firewall deletes the signatures. enter your Oink code here. 119 . Note: Updating the signatures can take several minutes. Any custom signatures you have uploaded to Advanced Firewall or Sourcefire VRT signatures you have downloaded to Advanced Firewall will be listed on the Services > Intrusion system > Policies page. Note: If you choose to delete custom signatures. Advanced Firewall will delete all custom signatures. click Delete. the signatures will be deleted from the policies.

Each subnet can have a number of dynamic and static IP ranges defined. Enable logging Select to enable logging. Click Save to enable the service. Server Select to set the DHCP service to operate as a DHCP server in standalone mode for network hosts. Relay (forwarding proxy) Select to set the DHCP service to operate as a relay. 2 Configure the following settings: 3 Setting Description Enabled Select to enable the DHCP service.Advanced Firewall Services DHCP Enabling DHCP To enable DHCP: 1 Navigate to the Services > DHCP > Global page. 120 . Creating a DHCP Subnet The DHCP service enables you to create DHCP subnets. forwarding DHCP requests to another DHCP server.

Subnet name Enter a name for the subnet.0. 2 Configure the following settings: Setting Description DHCP Subnet From the drop-down menu.255. Netmask Define the subnet range by entering a network mask. select Empty and click Select. enter the value that a requesting network host will receive for the secondary DNS server it should use. Primary DNS Enter the value that a requesting network host will receive for the primary DNS server it should use. Secondary DNS Optionally. 121 . for example 255. For example: 192. Network Enter the IP address that specifies the network ID of the subnet when combined with the network mask value entered in the netmask field.255.0.168.10.Smoothwall Advanced Firewall Administrator’s Guide To create a DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page.

Domain name suffix Enter the domain name suffix that will be appended to the requesting host's hostname. Click Advanced to access the following settings: Primary WINS Optionally. 3 Max lease time (mins) Enter the lease time limit in minutes to prevent network hosts requesting. The default value is usually sufficient. Enabled Determines whether the DHCP subnet is currently active. For more information. enter the value that a requesting network host will receive for the secondary WINS server it should use. Click Save. This is often not required on very small Microsoft Windows networks. The default value is usually sufficient. See Chapter 13. Setting Time on page 269 for more information. Automatic proxy config URL Specify a URL which clients will use for determining proxy settings. Primary NTP Optionally. enter the IP address of the Network Time Protocol (NTP) server that the clients will use if they support this feature. 122 . Tip: Secondary NTP Enter Advanced Firewall’s IP address and clients can use its time services if enabled. Network boot filename Specify to the network booting client which file to download when booting off the above TFTP server. See Chapter 13. Default lease time Enter the lease time in minutes assigned to network hosts that do not request (mins) a specific lease time. Custom DHCP options Any custom DHCP options created on the Services > DHCP > Custom options page are listed for use on the subnet. Secondary WINS Optionally. This is often not required on very small Microsoft Windows networks. impractically long DHCP leases. and being granted. TFTP server Enter which Trivial File Transfer Protocol (TFTP) server workstations will use when booting from the network. see Creating Custom DHCP Options on page 125. Note that it should reference an proxy auto-config (PAC) file and only some systems and web browsers support this feature. Note: For the DHCP server to be able to assign these settings to requesting hosts. further configuration is required.Advanced Firewall Services DHCP Setting Description Default gateway Enter the value that a requesting network host will receive for the default gateway it should use. Optionally. Dynamic ranges and static assignments must be added to the DHCP subnet so that the server knows which addresses it should allocated to the various network hosts. Setting Time on page 269 for more information. Tip: Enter Advanced Firewall’s IP address and clients can use its time services if enabled. enter the value that a requesting network host will receive for the primary WINS server it should use. enter the IP address of a secondary Network Time Protocol (NTP) server that the clients will use if they support this feature.

4 Comment Enter a description of the dynamic range. 2 Choose an existing DHCP subnet profile from the DHCP subnet drop-down list. For example. Enabled Select to enable the dynamic range. Adding a Dynamic Range Dynamic ranges are used to provide the DHCP server with a pool of IP addresses in the DHCP subnet that it can dynamically allocate to requesting hosts. as if they were configured with a static IP address. select the subnet and click Select. This address range should not contain the IPs of other machines on your LAN with static IP assignments.Smoothwall Advanced Firewall Administrator’s Guide Editing a DHCP subnet To edit a DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. 2 From the DHCP Subnet drop-down list. and click Select. select the subnet and click Select.10. 3 Edit the settings displayed in the Settings area. This address range should not contain the IPs of other machines on your LAN with static IP assignments. 3 In the Add a new dynamic range. 2 From the DHCP Subnet drop-down list. End address Enter the end of an IP range over which the DHCP server should supply dynamic addresses to. 3 Click Delete.168. 2 Choose an existing DHCP subnet from the DHCP subnet drop-down list. Deleting a DHCP subnet To delete a DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. 4 Click Save. The dynamic range is added to the Current dynamic ranges table. This is used to ensure that certain hosts are always leased the same IP address. configure the following settings: Setting Description Start address Enter the start of an IP range over which the DHCP server should supply dynamic addresses from. 123 . and click Select. Adding a Static Assignment Static assignments are used to allocate fixed IP addresses to nominated hosts. This is done by referencing the unique MAC address of the requesting host’s network interface card. enter 192. To add a dynamic range to an existing DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. To add a static assignment to an existing DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. Click Add dynamic range.15.

Advanced Firewall Services DHCP 3 Scroll to the Add a new static assignment area and configure the following settings: Setting Description MAC address Enter the MAC address of the network host’s NIC as reported by an appropriate network utility on the host system. 3 Scroll to the Add a new static assignment from ARP table area: 4 Select one or more MAC addresses from those listed and click Add static from ARP table. Adding a Static Assignment from the ARP Table In addition to the previously described means of adding static DHCP assignments. 5 Click Save. e. Comment Enter a description of the static assignment. This is entered as six pairs of hexadecimal numbers. it is possible to add static assignments automatically from MAC addresses detected in the ARP table. use the options available in the Current dynamic ranges and Current static hosts areas. with a space. and click Select. Enabled Select to enable the assignment. Click Add static. 2 Choose an existing DHCP subnet profile from the DHCP subnet drop-down list. colon or other separator character between each pair. Viewing DHCP Leases To view free leases: 1 124 Navigate to the Services > DHCP > DHCP leases page. To add a static assignment from the ARP cache to an existing DHCP subnet: 1 Navigate to the Services > DHCP > DHCP server page. 12 34 56 78 9A BC or 12:34:56:78:9A:BC 4 IP address Enter the IP address that the host should be assigned. . The static assignment is added to the Current static assignments table.g. Editing and Removing Assignments To edit or remove existing dynamic ranges and static assignments.

Smoothwall Advanced Firewall Administrator’s Guide 2 Select Show free leases and click Update. DHCP Relaying Advanced Firewall DHCP relay enables you to forward all DHCP requests to another DHCP server and re-route DHCP responses back to the requesting host. For example. The state can be either Active. that is. currently leased. The following information is displayed: Field Description IP address The IP address assigned to the network host which submitted a DHCP request. to configure and use SIP phones you may need to create a custom option which specifies a specific option code and SIP directory server. Click Save. End time The end time of the DHCP lease granted to the network host that submitted a DHCP request. Hostname The hostname assigned to the network host that submitted a DHCP request. Creating Custom DHCP Options Advanced Firewall enables you to create and edit custom DHCP options for use on subnets. 2 Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary DHCP server and Secondary DHCP server fields. MAC address The MAC address of the network host that submitted a DHCP request. the IP address is reserved for the same MAC address or re-used if not enough slots are available. Start time The start time of the DHCP lease granted to the network host that submitted a DHCP request. State The current state of the DHCP lease. or Free. To configure DHCP relaying: 1 Connect to Advanced Firewall and navigate to the Services > DHCP > DHCP relay page. Note: DHCP relaying must be enabled on the Services > DHCP > Global page. 125 .

The codes available are between the values of 128 and 254. enter any comments relevant to the option. Text – Select when creating an option which uses text. Enabled Select to enable the option. 1 Configure the following settings: Setting Description Option code From the drop-down list. select the code to use. see Creating a DHCP Subnet on page 120.Advanced Firewall Services DHCP To create a custom option: 1 Browse to the Services > DHCP > Custom options page. . with 252 excluded as it is already allocated. Option type From the drop-down list. This description is displayed on the Services > DHCP > DHCP server page. 2 126 Description Enter a description for the option. IP address – Select when creating an option which uses an IP address. For information on using custom options. select the option type. Comment Optionally. Advanced Firewall creates the option and lists it in the Current custom options area. Click Add.

L2TP road warriors Mobile user VPN support using Microsoft Windows 2000 and XP. The P in VPN technologies refers to the encryption and authentication employed to maintain an equivalent level of privacy that one would expect using a traditional circuit which a VPN typically replaces. the software is part of the Windows operating system. for IP Security. IPSec road warriors Mobile user VPN support using IPSec road warriors clients such as SafeNet SoftRemote. in the broadest sense. or individual computers. Some are wholly proprietary. Internal VPNs Support for VPNs routed over internal networks. a VPN can also replace Remote Access Server (RAS) phone or ISDN lines. Authentication Industry-standard X509 certificates or PreShared Keys (subnet VPN tunnels). with import and export capabilities in a number of formats. Advanced Firewall VPN Features Advanced Firewall contains a rich set of Virtual Private Network (VPN) features: Feature Description IPSec site-to-site Industry-standard IPSec site-to-site VPN tunneling. Typically. No client software required. across a public network. The public network. is the Internet. a VPN replaces a leased line or other circuit which is used to link networks together over some geographic distance. others are open standards. In a similar way to how a VPN can replace leased line circuits used to route networks together. Certificate management Full certificate management controls built into the interface. The most commonly deployed VPN protocol is called IPSec. SSL VPN Mobile user VPN support using OpenVPN SSL and a light-weight client installed on the user’s computer/laptop. as well as older versions of Windows. VPNs and tunnels. and is a well 127 . as well as others. There are several technologies which implement VPNs. These types of connections are usually referred to as road warriors. in most cases. Self-signed certificates can be generated. Logging Comprehensive logging of individual VPN tunnels. is a network route between computer networks. Tunnel controls Individual controls for all VPN tunnels.Chapter 9 Virtual Private Networking In this chapter: • All about Advanced Firewall. What is a VPN? A VPN.

VPNs are mostly used to link multiple branch office networks together. Tunnels can be formed between two VPN gateways. About VPN Gateways A VPN gateway is a network device responsible for managing incoming and outgoing VPN connections. see X509 Authentication on page 129. For more information. • Route all data received from its own Local Area Network (LAN) to the correct VPN tunnel. • Allow VPN tunnels to be managed. is actually who or what it identifies itself to be. • Authenticate the other end of a VPN connection. Since VPN gateways are not usually in the same physical location. Conversely. or to connect mobile and home users. that is a person. to their office network. Advanced Firewall supports several authentication methods that can be used to validate a VPN gateway’s identity: Authentication method Pre-Shared Key Description Usually referred to as PSK. it is not readily determinable that either gateway is genuine. road warriors. as published by the ITU-T and ISO standardization bodies. • Manage tunnels – control the opening and closing of tunnels. site-to-site VPNs. • Decrypt secure data received from the VPN tunnel. see PSK Authentication on page 129. • Configure authentication – define a secure means for each VPN gateway to identify the other. the remote gateway must be assured that the initiating gateway is not an imposter. and generally all vendors of network security products will have an offering in their product portfolio. Administrator Responsibilities A network administrator has three responsibilities: • Specify the tunnel – define the tunnel on each VPN gateway. The network route between a site-to-site or road warrior VPN is provided by a VPN tunnel.Virtual Private Networking About VPN Authentication established and open Internet standard. A VPN gateway must perform a number of specific tasks: • Allow VPN tunnels to be configured. All data traversing the tunnel is encrypted. • Route all data received from the tunnel to the correct computer on the LAN. i. A gateway that initiates a VPN connection must be assured that the remote gateway is the right one. About VPN Authentication Authentication is the process of validating that a given entity. this is a simplistic authentication method based on a password challenge. X509 An industry strength and internationally recognized authentication method using a system of digital certificates. thus making the tunnel and its content unintelligible and therefore private to the outside world. For more information. 128 . • Encrypt all data presented to the VPN tunnel into secure data packets. ensure it can be identified and trusted. system or device. Many implementations of this standard exist.e.

during which time the certificate is valid. PSK authentication is best suited when a single site-to-site or road warrior VPN capability is required. About Digital Certificates A digital certificate. 129 . PSK Authentication To use the Pre-Shared Key (PSK) method. Password protection is easily circumvented as passwords are frequently written down. Certificate ID An alternative identifier for the certificate owner in abbreviated form. referred to here as a certificate. is an electronic document that uniquely identifies its owner. both gateways know that the other must be genuine. a CA can be called upon to validate the authenticity of a certificate. such a scheme is likely to prove unmanageable in the long run and liable to misuse. the CA.e. Validity period The start and expiry dates.Smoothwall Advanced Firewall Administrator’s Guide Authentication method Description Username/password In addition to using X509. all users of L2TP road warrior connections must enter a valid username and password. as specified when the L2TP tunnel definition is created. This ensures that both the user and the VPN gateway (the L2TP client) are authenticated. spoken aloud or shared amongst administrator colleagues. Hence. When initiating a VPN connection. In the world of digital certificates. Certificates contain information about both its owner. each gateway requests the other’s password. While it is possible to create large VPN networks based entirely on PSK authentication. While PSK tunnels are quick to set up. in the same way that a government can be asked to validate a citizen's passport. much like a traveler can present his or her passport. their country. Some VPN configurations will also require multiple tunnels to use the same password – highly undesirable if your organization intends to create multiple road warrior VPN connections.e. there are human and technological reasons that make this method unsuitable for larger organizations. each gateway is authentic and a secure. X509 utilizes public-key cryptography. A more in depth examination of the PSK and X509 authentication methods can be found in the following sections. including recommendations for the usage of each. it is not yet clear whether the certificate is a forgery – to prove absolute authenticity. i. each VPN gateway is given a digital certificate that it can present to prove its identity. just like a government is entrusted to provide its citizens with passports. If the password received by each gateway matches the password stored by each gateway. i. X509 Authentication In this model. trusted VPN tunnel can be established. company name etc. The simplicity of PSK is both its strength and its weakness. and contains the following information: Information Description Subject Information about who the certificate was issued to. However. the subject and its issuer. connecting VPN gateways are pre-configured with a shared password that only they know. Issuer Information about the CA that created and signed the certificate. Digital certificates are created and issued by a trusted entity called a Certificate Authority (CA).

much like a watermark or other security feature is added to a passport by a government. thus proving that the certificate is genuine. but there are alternative schemes that use multiple CAs which will be discussed later. this only proves that the CA genuinely issued the certificate. digital certificates can be leased from companies like Verisign or Thawte and then imported. Anybody wishing to determine the authenticity of the certificate can therefore attempt to decrypt the CA signature using the public key attainable from the issuing CA. this time the certificate owner uses its private key to encrypt the entire certificate (including the CA's signature) before presenting the certificate. Advanced Firewall enables you to: • Create a trusted CA. The encrypted content is inserted into the certificate.Virtual Private Networking Configuration Overview Public-key cryptography is an encryption mechanism that involves the use of a mathematically related pair of encryption keys. see Creating a CA on page 131. This is solved by one further stage of encryption. The use of a local Advanced Firewall CA is recommended as a more convenient and equally secure approach. As an overview to these sections. 3 Install the master Advanced Firewall’s certificate as its default local certificate. Just because a passport was validly issued by a government does not mean that the person presenting it is its rightful owner. create a local Certificate Authority. 2 Create certificates for the master Advanced Firewall system and the remote Advanced Firewall system. digital certificates. If the private key is kept secret by its owner. one called a private key and the other called a public key. the CA takes the content of the certificate and encrypts it using its private key. these are the steps required to create a typical site-to-site VPN connection: 1 On the master Advanced Firewall system. • Manage exporting and installing certificates on other Advanced Firewall / VPN gateway systems. It is also impossible for any other key to decrypt a message apart from the encrypting key's counterpart. any message successfully decrypted using the public key can only have originated from the private key owner. It is computationally infeasible to derive either key from the other. It can now be proven beyond all doubt that the certificate is the property of its rightful owner (by decrypting it using the owner's public key) and that the certificate was issued by the specified CA (by decrypting the CA's signature from the certificate using the CA's public key). road warrior VPNs. • Create signed. Advanced Firewall and Digital Certificates Advanced Firewall is equipped to handle all aspects of setting up a self-contained X509 authentication system. The mathematical relationship allows messages encrypted with the private key to be decrypted by the public key and vice versa. internal VPNs and management in great depth. To sign a certificate. or they can be created by a separate CA such as the one included in Microsoft Windows 2000. site-to-site VPNs. If the signature can be successfully decrypted and matches the issuer details declared in the certificate. the certificate is proven to be authentic. certificates. However. It is usual for a single CA to provide certificates for an entire network of peer systems. For details. 130 . 4 Create a tunnel specification on the master Advanced Firewall system that points to the remote Advanced Firewall system. and the public key is freely accessible to all. Alternatively. Configuration Overview The following sections cover the separate topics of CAs. This concept is exploited by CAs to sign all certificates they create.

For further information see Chapter 6. see VPN Tutorials on page 178. 6 Import the CA certificate on the remote Advanced Firewall system. it may be useful to use that. you require access to at least one CA. A certificate created by a known CA can be authenticated as genuine. 7 Import and install the remote Advanced Firewall system’s certificate. as exported by step 5. 9 Bring the connection up. Configuring Inter-Zone Security on page 59. Note: For VPN configuration tutorials. They also explain how to export and import CA certificates so that a remote Advanced Firewall has knowledge of the CA. 131 . as exported by step 5. 8 Create a tunnel specification on the remote Advanced Firewall system that matches the one created by step 4. but this can be inconvenient and costly. for the purpose of creating certificates for VPN tunnel authentication. The following sections explain how to create a local CA using Advanced Firewall. Maintenance tasks such as how to delete CAs are also discussed. It is possible to purchase certificates from an externally managed CA. in which case refer to Importing Another CA's Certificate on page 133. Creating a CA To create your own certificates for use in VPN tunnel authentication. This section explains how to create a CA using Advanced Firewall.Smoothwall Advanced Firewall Administrator’s Guide 5 Export the CA certificate and the remote Advanced Firewall certificate from the master Advanced Firewall system. 10 Ensure that appropriate zone bridging rules are configured and active in order to permit traffic to and from the VPN tunnel. If you already have a CA on your network. Working with Certificate Authorities and Certificates A Certificate Authority (CA) is an implicitly trusted system that is responsible for issuing and managing digital certificates.

Country Enter a two letter country code. There are two different export formats: 132 .Virtual Private Networking Working with Certificate Authorities and Certificates To create a CA: 1 Navigate to the VPN > VPN > Certificate authorities page. You can also export the CA’s own certificate to other systems which can use it to authenticate digital certificates issued by the CA. User defined (days) If User defined is selected as the life time value of the CA. you can use it to create digital certificates for network hosts. The local CA is created and displayed. enter the number of days the CA will be valid. Department Enter a departmental identifier. Click Create Certificate Authority. Organization Enter an organizational identifier. you need to export its certificate so that other systems can recognize and authenticate any signed certificates it creates. select the length of time that the CA will remain valid for. Life time From the drop-down menu. Locality or town Enter a locality or town. 3 State or province Enter a state or province. Exporting the CA Certificate Once a CA has been created. Email Enter an administrative email address. Once a CA has been created. 2 Configure the following settings: Setting Description Common name Enter an easily identifiable name.

133 . The certificate is listed in the Installed Certificate Authority certificates list of certificates area. click Browse. the Create local Certificate Authority region will be displayed. Once the local CA has been deleted. 2 In the Delete local Certificate Authority region. The following formats are available: CA certificate in PEM – An ASCII (textual) certificate format commonly used by Microsoft operating systems. To import the CA's certificate: 1 Navigate to the VPN > VPN > Authorities page. 3 Click Delete Certificate Authority. Importing Another CA's Certificate To authenticate a signed certificate produced by a non-local CA. 4 Click Import CA cert from PEM. This change in layout occurs because a CA no longer exists on the Advanced Firewall system. Note: Deleting the local CA will invalidate all certificates that it has created. Export format From the drop-down list. select Confirm delete. Note: The certificate must be in PEM format to be imported. locate and select the local CA certificate. Select this format if the certificate is to be used on another Smoothwall System. You can deliver the certificate to another system without any special security requirements since it contains only public information. CA certificate in BIN – A binary certificate format. 2 In the Import Certificate Authority certificate area. 3 Locate and open the CA’s certificate that you wish to import. Consult the system’s documentation for more information.Smoothwall Advanced Firewall Administrator’s Guide To export the CA certificate: 1 Navigate to the VPN > VPN > Authorities page and configure the following settings: Setting Description Name In the Installed Certificate Authority certificates area. select the format in which to export the certificate authority’s certificate. 2 Click Export and choose to save the file to disk from the dialog box launched by your browser. The Create local Certificate Authority region replaces the Delete local Certificate Authority region. you must import the non-local CA’s certificate into Advanced Firewall. Deleting the Local Certificate Authority and its Certificate To delete the local CA and its certificate: 1 Navigate to the VPN > VPN > Authorities page. This is usually done on secondary Advanced Firewall systems so that they can authenticate certificates created by a master Advanced Firewall system's CA. select if the certificate is to be used on a system which requires this format.

It is normal for a single CA to create certificates for all other hosts that will be used as VPN gateways. . and therefore requires its own certificate. The first certificate created is usually for the Advanced Firewall system that the CA is installed on.e. This is because the Advanced Firewall VPN gateway is a separate entity to the CA. 3 Click Delete. you can generate certificates. To create a new signed certificate: 1 134 Navigate to the VPN > VPN > Certificates page. view. all other Advanced Firewall systems. export and delete certificates in Advanced Firewall. 2 Locate and select the non-local CA certificate in the Installed Certificate Authority certificates region. i. The CA certificate will no longer appear in the Installed Certificate Authority certificates region and Advanced Firewall will not be able to authenticate any certificates created by it. import.Virtual Private Networking Managing Certificates Deleting an Imported CA Certificate To delete an imported CA's certificate: 1 Navigate to the VPN > VPN > Authorities page. Managing Certificates The following sections explain how to create. Creating a Certificate Once a local Certificate Authority (CA) has been created.

2 Locate the certificate that you wish to view in the Installed signed certificates region. Reviewing a Certificate You can review the content of a certificate. ID value Enter an ID value. 3 Click the certificate name. Exporting Certificates Any certificates you create for the purpose of identifying other network hosts must be exported so that they can be distributed to their owner. 3 State or province Enter a state or province for the certificate owner. Reviewing certificates can be useful for checking certificate content and validity. The options are: No ID – Not recommended but available for inter-operability with other VPN gateways. Locality or town Enter a locality or town for the certificate owner. 4 Close the browser window to return to Advanced Firewall. The content is displayed in a new browser window. Click Create signed certificate. For a road warrior this is usually the user’s email address. Email Enter an email address for the individual or host system that will own this certificate. For a site-to-site Advanced Firewall VPN this is typically a hostname. This does not need to be a registered DNS name. Life time From the drop-down menu. Email address – Recommended for road warrior or internal VPN connections. To review a certificate: 1 Navigate to the VPN > VPN > Certificates page. Department Enter a departmental identifier for the certificate owner. Common name Enter a common name for the certificate. Organization Enter an organizational identifier for the certificate owner. select the certificates’s ID type. Host & Domain Name – Recommended for most site-to-site VPN connections.Smoothwall Advanced Firewall Administrator’s Guide 2 Scroll to the Create new signed certificate area and configure the following settings: Setting Description ID type From the drop-down menu. enter the number of days the certificate will be valid for. Country Enter a two letter country code. The certificate is listed in the Installed signed certificates area. for example Head Office. although the use of a real email address is recommended. 135 . This does not need to be a real email address. IP address – Recommended for site-to-site VPNs whose gateways use static IP addresses. User defined (days) If User defined is selected as the life time value of the certificate. select the length of time that the certificate will remain valid for. To export a certificate: 1 Navigate to the VPN > VPN > Certificates page and scroll to the Installed signed certificates area.

2 In the Installed signed certificates region. Certificate in DER – A binary certificate format for use with non-Advanced Firewall VPN gateways. configure the following settings: Setting Description Password Enter the password that was specified when the certificate was created. Private key in DER – Exports just the private key in binary for use with nonAdvanced Firewall VPN gateways. To export a certificate in the PKCS#12 container format: 1 Navigate to the VPN > VPN > Certificates page.der file) to disk in the dialog box launched by your browser software. Importing a Certificate Advanced Firewall systems that do not have their own CA will be required to import and install a host certificate to identify themselves. 5 Choose to save the PKCS#12 container file (a . The PKCS#12 file will be saved to the browser's local file system. The following formats are available: Certificate in PEM – An ASCII (textual) certificate format commonly used by Microsoft operating systems. locate and select the certificate that you wish to export. Recommended for all Advanced Firewall to Advanced Firewall VPN connections. 3 Click Export.Virtual Private Networking Managing Certificates 2 Select the certificate you want to export and configure the following settings: Setting Description Export format From the drop-down menu. To import a certificate: 1 136 Navigate to the VPN > VPN > Certificates page. for example. Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that should only be known by the certificate owner. branch office systems connecting to a head office that has a Advanced Firewall system and CA. Choose to save the certificate file (a . The certificate will be saved to the browser’s local file system in the specified format.p12 file) to disk in the dialog box launched by your browser software. In the Import certificates area. 4 Click Export certificate and key as PKCS#12. This is the normal process for secondary Advanced Firewall systems. It is recommended for use in all Advanced Firewall to Advanced Firewall VPNs and L2TP road warriors. Exporting in the PKCS#12 Format PKCS#12 is a container format used to transport a certificate and its private key.pem or . 3 Enter and confirm a password in the Password and Again fields. select the format in which to export the certificate. Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that should only be known by the certificate owner. .

Setting the Default Local Certificate One of the most important configuration tasks is to set the default local certificate on each Advanced Firewall host. Advanced Firewall imports the signed certificate lists it in the Installed signed certificates area. The signed certificate will be removed from the Installed signed certificates region. 2 Click Import certificate and key from PKCS#12. 3 Click Delete. The default local certificate should be the certificate that identifies its host. Deleting a Certificate To delete an installed certificate: 1 Navigate to the VPN > VPN > Certificates page. 2 In the Installed signed certificates region. Import PEM filename 1 2 To import a certificate in PEM format: Click Browse and navigate to and select the certificate file.Smoothwall Advanced Firewall Administrator’s Guide Setting Import PKCS#12 filename Description To import a certificate in PKCS#12 format: 1 Click Browse and navigate to and select the certificate file. 137 . Click Import certificate from PEM. locate and select the certificate that you wish to delete.

2 In the Default local certificate region. Recommended Settings For Advanced Firewall to Advanced Firewall connections. This certificate will now be used by default in all future tunnel specifications. Site-to-Site VPNs – IPSec The following sections explain how to create a site-to-site VPN tunnel between two Advanced Firewall systems. click Restart to deploy the certificate. unless otherwise specified. encrypted tunnel between head office and a branch office. The tunnel will use the IPSec protocol to create a secure. the following settings are recommended for maximum security and optimal performance: 138 Setting Selection Encryption AES Authentication type ESP . select the host’s certificate from the Certificate drop-down list and click Save.Virtual Private Networking Site-to-Site VPNs – IPSec To set the default local certificate: 1 Navigate to the VPN > VPN > Global page. 3 When prompted by Advanced Firewall.

Local IP Enter the IP address of the external interface used on the local Advanced Firewall host. many settings can be left at their default values. However. For Advanced Firewall to Advanced Firewall connections. This section describes each parameter that can be configured when creating an IPSec tunnel. Enabled Select to enable the connection. some settings may require adjustment. Note: This field should usually be left blank to automatically use the default external IP (recommended). Setting Description Name Enter a descriptive name for the tunnel connection. see VPN Tutorials on page 178. for example: New York to London. Creating an IPsec Tunnel To create a site-to-site tunnel: 1 On the Advanced Firewall at head office. for maximum compatibility with other VPN gateways. browse to the VPN > VPN > IPSec subnets page. Note: Many parameters are used when creating an IPSec site-to-site VPN tunnel. 139 . 2 Configure the following settings:.Smoothwall Advanced Firewall Administrator’s Guide Setting Selection Hashing algorithm SHA Perfect Forward Secrecy Enabled Compression Enabled – unless predominant VPN traffic is already encrypted or compressed. For more VPN tutorials.

Local ID value This field is only used if the local ID type is a User specified type (this is typically used when connecting to non-Advanced Firewall VPN gateways). User specified Email address – Uses a user specified email address as the local certificate ID. User specified IP address – Allows the user to specify a custom IP address that it should expect the remote gateway to present as ID. The choices are: This is specified using the IP address/network mask format.g. Authenticate by From the drop-down list.0/255.0. select the type of the ID that will be presented to the remote system.Virtual Private Networking Site-to-Site VPNs – IPSec Setting Description Local network Specify the local subnet that the remote host will have access to.g. Local IP – Uses the local IP address of the host as the local certificate ID. The remote IP can be left blank if the remote peer uses a dynamic IP address.10. e. Remote ID type From the drop-down menu. User specified Email address – Allows the user to specify a custom email address that it should expect the remote gateway to present as ID.0/255. Consult your vendor's administration guide for details regarding the required ID type and its formatting.0. User specified Certificate Subject – Uses a user specified certificate subject as the local certificate ID.168. Remote network This should specify the remote subnet that the local host will have access to. .255. 192. About VPN Authentication on page 128. you can leave this field blank because its value will be automatically retrieved by Advanced Firewall during the connection process (according to the chosen ID type). User specified Certificate Subject – Allows the user to specify a custom certificate subject string that it should expect the remote gateway to present as ID (typically used for non-Advanced Firewall VPN gateways).255. Local ID type From the drop-down list.168. e. or any other form of presented ID User specified Host & Domain Name – Allows the user to specify a custom host and domain name that it should expect the remote gateway to present as ID. User specified Host & Domain Name – Uses a user specified host and domain name as the local certificate ID. Remote IP (or ANY if blank Remote IP) – The remote ID is the remote IP address.255.255. 140 Remote ID value Enter the value of the ID used in the certificate that the remote peer is expected to present. 192. For more information on PSK and X509 authentication. Default local Certificate Subject – Uses the subject field of the default local certificate as the local certificate ID. Remote IP or hostname Enter the IP address or hostname of the remote system. In most cases.20. Note: User specified types are mostly used when connecting to non-Advanced Firewall VPN gateways. User specified IP address – Uses a user specified IP address name as the local certificate ID. The choices available are: This is specified using the IP address/network mask format. select the type of ID that the remote gateway is expected to present. select the authentication method.

4 Enter the following information: Setting Description Local certificate This is used in non-standard X509 authentication arrangements. Interface Select which interface will be used for this connection either on external or internal interfaces. AH – IP Authentication Header uses IP Protocol 51 and ensures authentication and integrity of messages. ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. Authentication type Select the authentication type used during the authentication process. Preshared key again Re-enter the preshared key entered in Preshared key field if PSK is selected as the authentication method. Because AH provides only authentication and not encryption. For any tunnel with a high proportion of encrypted or already-compressed traffic. Note: Advanced settings are usually used for compatibility with other VPN gateway systems.100 to Birmingham . see Advanced VPN Configuration on page 171. PRIMARY means the connection will be on the external interface. compressing encrypted data such as HTTPS. For more information. This setting must be the same on the tunnel specifications of both connecting gateways. The same rule applies when transferring data that is already compressed. or VPN tunnels within tunnels may decrease performance. uncompressed traffic compression is recommended. but it does increase CPU utilization on both host systems. for example: London connection . for example streaming video. This is useful for low bandwidth connections. 141 . 3 Optionally. Use compression Select to compresses tunnel communication. compression is not recommended. This setting should be the same on both tunnel specifications of two connecting gateways. AH is not recommended. For example. click Advanced. authenticity and integrity of messages. VPN gateways must agree on the use of PFS. PFS is recommended for maximum security.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Preshared key Enter the preshared key when PSK is selected as the authentication method.250. Perfect Forward Secrecy Select to enable the use of the PFS key establishment protocol. This is useful for compatibility with older VPN gateways. For non-encrypted. Enter a descriptive comment for the tunnel. although they can be tweaked for performance gains in Advanced Firewall to Advanced Firewall VPN connections. Initiate the connection Comment Select to enable the local VPN system to initiate this tunnel connection if the remote IP address is known. Recommended for optimal performance. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. ESP – Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality.

The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. a non-initiating VPN gateway should not use a zero value because if an active connection drops. See Phase 1 hash algo for more information on the options. 142 IKE lifetime Set how frequently. Phase 1 hash algo Select the hashing algorithm to use for the first phase of VPN tunnel establishment. Key life Set the length of time that a set of keys can be used for. It is recommended for maximum security and performance. 3DES – A triple strength version of the DES cryptographic standard using a 168-bit key. However. Recommended for maximum security. Phase 2 cryptographic algo Selects the encryption algorithm to use for the second phase of VPN tunnel establishment. The default value of zero tells the host to endlessly try to re-key a connection. MD5 – A cryptographic hash function using a 128-bit key. AES 256 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. This can be useful when working with NAT-ed endpoints. AES 128 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. Phase 2 hash algo Selects the hashing algorithm to use for the second phase of VPN tunnel establishment. new encryption keys are generated. The default and maximum value of 60 minutes is recommended. See Phase 1 cryptographic algo for more information on the options. Key tries Set the maximum number of times the host will attempt to re-try the connection before failing. Do not rekey Select to disable re-keying. After the key-life value has expired. This setting should be the same on both tunnel specifications of two connecting gateways. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility. Recommended for faster performance and compatibility. This setting should be the same on both tunnel specifications of two connecting gateways. This setting should be the same on both tunnel specifications of two connecting gateways. the Internet Key Exchange keys are reexchanged. in minutes. thus reducing the threat of snooping attacks. This setting should be the same on both tunnel specifications of two connecting gateways. it will persistently try to re-key a connection that it can't initiate. AES offers faster and stronger encryption than 3DES.Virtual Private Networking Site-to-Site VPNs – IPSec Setting Description Phase 1 cryptographic algo Select the encryption algorithm to use for the first phase of VPN tunnel establishment. AES offers faster and stronger encryption than 3DES. SHA – Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. .

Note: If you do not use this setting. Enter the IP of the network interface to use when Advanced Firewall itself sends traffic in the tunnel.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Local internal IP This optional setting is used when Advanced Firewall itself sends traffic in the IPsec tunnel. Advanced Firewall will not. itself. 143 . 5 Click Add to create the tunnel. be able to send traffic in the IPsec tunnel.

This will identify the primary system to the secondary system by using the host and domain name ID value in the primary system’s default local certificate.168. 3 Install the local certificate as the default local certificate on the local system.255. It will be automatically generated as the default external IP address at connection time Local network Specify the local network that the secondary system will be able to access. see Importing a Certificate on page 136. Creating the Tunnel on the Primary System To create the tunnel on the primary system: 1 On the primary system. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. Once the above steps have been completed. Local ID type From the drop-down list. Its value will be automatically retrieved by Advanced Firewall during the connection process. Enabled Select to ensure that the tunnel can be activated once configuration is completed. you must do the following: 1 Create a CA on the local system for information on how to do this. for information on how to do this. 6 Import and install the certificate as the default local certificate on the remote system. see Creating a Certificate on page 134.0/ 255. for information on how to do this. select Default local Certificate ID. 5 Export the remote certificate in the PKCS#12 container format. for information on how to do this. see Exporting in the PKCS#12 Format on page 136. see Importing a Certificate on page 136. proceed with creating tunnel specifications on the local and remote systems as detailed in the following sections. 192. see Creating a CA on page 131 2 Create certificates for the local and remote systems using Host and Domain Name as the ID type. for information on how to do this. For example.10. 144 . Local IP Leave empty. This should be given in the IP address / network mask format and should correspond to an existing local network. see Exporting Certificates on page 135.0. for information on how to do this.255.Virtual Private Networking IPSec Site to Site and X509 Authentication – Example IPSec Site to Site and X509 Authentication – Example This example explains how to create a site-to-site IPSec tunnel using X509 authentication between two Advanced Firewall systems. Prerequisite Overview Before you start. Local ID value Leave empty. 4 Export the CA certificate in PEM format.

It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system.0. Enabled Select to ensure that the tunnel can be activated once configuration is completed. Tunnel to Branch Office.20. For example. Click Add to create the tunnel specification and list it in the Current tunnels area: The advanced settings are left to their default values in this example. This should be given in the IP address/network mask format and should correspond to an existing local network.20. Creating the Tunnel on the Secondary System To create the tunnel on the secondary system: 1 On the secondary system. This will identify the secondary system to the primary system by using the host and domain name ID value in the secondary system’s default local certificate. select User specified Host & Domain Name. For example. Local IP Leave empty. it will require more processing power.0/ 255. select Default local Certificate ID. Local ID type From the drop-down list. This will instruct Advanced Firewall to authenticate the secondary system by validating the certificate it presents as its identity credentials. 192. Preshared Key Leave empty. Remote network Specify the network on the secondary system that the primary system will be able to access. select Certificate provided by peer. enter it here. Local network Specify the local network that the primary system will be able to access. Remote ID value Enter the ID value (the hostname) of the secondary system’s default local certificate. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel.255.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Remote IP or hostname If the secondary system has a static IP address or hostname. 192. however. Initiate the connection Do not select. 145 .255.168.0/ 255.255. Use compression Select to reduce bandwidth consumption. If the secondary system has a dynamic IP address.0. It will be automatically generated as the default external IP address at connection time.255. leave this field blank. This is useful for low bandwidth connections. This should be given in the IP address/network mask format and should correspond to an existing local network. 2 Remote ID type From the drop-down list. The next step is to create a matching tunnel specification on the remote system. Authenticate by From the drop-down list. For example. Preshared Key again Leave empty. Comment Enter a descriptive comment.168.

Unlike the first tunnel specification. Preshared Key Leave empty. All advanced settings can be safely left at their defaults.255. For example. Remote ID value Enter the ID value (the hostname) of the primary system’s default local certificate. The secondary system will act as the initiator of the connection and therefore requires a destination IP address in order to make first contact.168. Authenticate by From the drop-down list. select Certificate provided by peer. This should be given in the IP address/network mask format and should correspond to an existing local network. this cannot be left blank. Remote IP or hostname Enter the external IP address of the primary system. Initiate the connection Select as the secondary system is responsible for its connection to the primary Advanced Firewall system.255. This matches the primary system’s certificate type of Host and Domain Name. . Comment 2 146 Enter a descriptive comment. This instructs Advanced Firewall to authenticate the primary system by validating the certificate it presents as its identity credentials.0. Preshared Key again Leave empty. Tunnel to Head Office. Remote ID type From the drop-down list. Its value will be automatically retrieved by Advanced Firewall during the connection process.0/ 255.Virtual Private Networking IPSec Site to Site and X509 Authentication – Example Setting Description Local ID value Leave empty. Remote network Enter the network on the primary system that the secondary system will be able to access.10. Click Add. as listed in Prerequisite Overview on page 144. for example. select User specified Host & Domain Name. 192. Use compression Select if you selected it on the primary system.

Creating the Tunnel Specification on Primary System To create the primary tunnel specification: 1 On the primary system.255. you do not need to do anything. navigate to the VPN > VPN > Control page. To do this.Smoothwall Advanced Firewall Administrator’s Guide Checking the System is Active Once the tunnel specifications have been created. Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel. For example. 147 . identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up. the tunnel can be activated.168. If the status is Stopped. identify the current status of the VPN system. click Restart. 3 On the secondary system. For further information. 192. This will identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address.0/ 255. select Local IP. 2 In the IPSec subnets region.0. IPSec Site to Site and PSK Authentication Pre-Shared Key (PSK) authentication is useful for creating a basic VPN site-to-site connection where there is no requirement for multiple tunnel authentication and management controls. This should be given in the IP address/network mask format and should correspond to an existing local network. 4 In the Manual control region. Local network Specify the local network that the secondary system will be able to access. Activating the IPSec tunnel Next. ensure that appropriate zone bridging rules are configured.255. identify the current status of the VPN system. navigate to the VPN > VPN > Control page. the secondary system should initiate the VPN connection. To ensure the VPN subsystem is active on both systems: 1 On the primary system. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. 2 In the Manual control region. If the status is Running.10. To initiate the VPN connection: 1 On the secondary system. navigate to the VPN > VPN > Control page. Enabled Select to ensure that the tunnel can be activated once configuration is completed. click Restart. If the status is Running. see Chapter 6. If the status is Stopped. Configuring Inter-Zone Security on page 59. Local ID type From the drop-down list. you do not need to do anything. Local IP Leave blank so that it is automatically generated as the default external IP address at connection time. first ensure that the VPN subsystem is active on both the primary and secondary systems.

0. Local IP Leave blank so that it is automatically generated as the default external IP address at connection time. Remote IP or hostname If the secondary system has a static IP address or hostname.20. Advanced Firewall lists it in the Current tunnels area. Preshared Key Enter a passphrase.0/255.168.255.10. enter it here. navigate to the VPN > VPN > IPSec subnets page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system.255. Remote network Specify the network on the secondary system that the primary system will be able to access.0.Virtual Private Networking IPSec Site to Site and PSK Authentication Setting Description Local ID value Leave empty. If the secondary system has a dynamic IP address.168. It will be automatically generated as Local IP was chosen as the local ID type. This should be given in the IP address/network mask format and should correspond to an existing local network. Remote ID value Enter the local IP address of the secondary system. select Preshared Key. Preshared Key again Re-enter the passphrase to confirm it. This will allow the primary system to use the secondary’s IP address (if one was specified). for example: Tunnel to Birmingham Branch Click Add. This should be given in the IP address / network mask format and should correspond to an existing local network. leave this field blank. For example.255.255.0/ 255. It is useful for low bandwidth connections but requires more processing power. 192. Authenticate by From the drop-down list. Creating the Tunnel Specification on the Secondary System To create the secondary tunnel specification: 1 148 On the secondary system. 192. Use compression Select this option if you wish to reduce bandwidth consumption. Local network Specify the local network that the primary system will be able to access. Enabled Select to ensure that the tunnel can be activated once configuration is completed. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. For example. Comment Enter a description. select Remote IP (or ANY if blank Remote IP). . All advanced settings can be safely left at their defaults. Initiate the connection Do not select this option. The next step is to create a matching tunnel specification on the remote system. 2 Remote ID type From the drop-down list.

Click Add. navigate to the VPN > VPN > Control page. If the status is Running. Use compression Select this option if compression was enabled on the primary system. Initiate the connection Select this option as it is the responsibility of the secondary system to initiate its connection to the primary Advanced Firewall system. If the status is Stopped. you do not need to do anything. Authenticate by From the drop-down list. Remote network Specify the network on the primary system that the secondary system will be able to access. first ensure that the VPN subsystem is active on both the primary and secondary systems. identify the current status of the VPN system. Preshared Key Enter the same passphrase as was entered in the Preshared Key field on the primary system. Remote ID value Enter the local IP address of the secondary system. select Preshared Key. for example. It will be automatically generated as Local IP was chosen as the local ID type. select Remote IP (or ANY if blank Remote IP). Activating the PSK tunnel Next. Remote IP or hostname Enter the external IP address of the primary system.168.10. 2 In the Manual control region. This will identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address. To activate the tunnel: 1 On the secondary system. 149 . Remote ID type From the drop-down list. identify the current status of the VPN system.255. navigate to the VPN > VPN > Control page. To check the system is active: 1 On the primary system.0.255. Comment 2 Enter a descriptive comment. This will allow the primary system to use the secondary's IP address (if one was specified). Local ID value Leave empty. 4 In the Manual control region. Preshared Key again Re-enter the passphrase to confirm it. the secondary system should initiate the VPN connection. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. 3 On the secondary system. 192. this cannot be left blank. you do not need to do anything. navigate to the VPN > VPN > Control page. Unlike the first tunnel specification. If the status is Stopped. click Restart. Checking the System is Active Once the tunnel specifications have been created. select Local IP. All advanced settings can be safely left at their defaults.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Local ID type From the drop-down list. the tunnel can be activated.0/255. For example. This should be given in the IP address/network mask format and should correspond to an existing local network. Tunnel to Head Office. click Restart. If the status is Running. To do this. The secondary system will act as the initiator of the connection and thus it requires a destination IP address in order to make first contact.

However. Configuration Overview Typically. IPSec road warriors can be configured to connect to any internal network. 2 Decide which VPN protocol best suits your road warrior's needs – L2TP for Win 2000/XP. 6 Connect. This IP address must match the network that the road warrior connects too (globally specified for L2TP connections. 150 . all L2TP road warriors must connect to the same internal network. see Chapter 6. ensure that appropriate zone bridging rules are configured. There are fewer configuration parameters to consider when creating a tunnel specification. Configuring Inter-Zone Security on page 59. When configuring a tunnel. individually specified for each IPSec road warrior. Other machines on the same internal network can see the client. • IPSec – IPSec road warrior connections use the same technology that Advanced Firewall uses to create site-to-site VPNs. For further information. usually with the user's email address as its ID type. 3 Decide which internal networks and what IP ranges to allocate to road warriors. For further information. so create as many tunnels as there are road warriors. When a road warrior connects to Advanced Firewall.Virtual Private Networking About Road Warrior VPNs 2 In the IPSec subnets region. 4 Create the tunnel specification on the Advanced Firewall system. IPSec road warriors must have IPSec client software installed and configured to connect to Advanced Firewall. Note: Road warrior configuration tutorials are provided in VPN Tutorials on page 178. 7 Ensure that inbound and outbound access to the road warrior have been configured using appropriate zone bridging rules. When connected. Typically. Configuring Inter-Zone Security on page 59. a road warrior connection is configured as follows: 1 Create a certificate for each road warrior user. you would choose a group of IP addresses outside of either the DHCP range. it is given an IP address on a specified internal network. the client IP settings is used to assign the road warrior's IP address on the local network. Advanced Firewall supports two different VPN protocols for creating road warrior connections: • L2TP – L2TP connections are extremely easy to configure for road warriors using Microsoft operating systems. unused IP address. be on the configured internal network. IPSec for all others. About Road Warrior VPNs This part of the manual explains how to create road warrior VPN connections to enable mobile and home-based workstations to remotely join a host network. identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up. see Chapter 6. or statically assigned machines such as servers. 5 Install the certificate and any necessary client software on the road warrior system and configure. Linux or other nonMicrosoft operating systems. Each user requires their own tunnel. Each road warrior must use a unique. It is recommended for road warriors using Apple Mac. You can route to other subnets. the road warrior client machine will. to all intents and purposes. just as if it was plugged into the network directly. including other VPN-connected ones. Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel.

192.255. Creating an IPSec Road Warrior To create an IPSec road warrior connection: 1 Navigate to the VPN > VPN > IPSec roadwarriors page. Client IP Enter a client IP address for this connection.10. enter the value 192.168.2.255.0/ 255. For example. • Each connection can use different types of cryptographic and authentication settings.168.0/24 or 192.0 to 192. 151 .2. For example. Local network Enter the IP address and network mask combination of the local network. The IP address must be a valid and available address on the network specified in the Local network field. Note: It is possible to restrict (or extend) the hosts that a road warrior can see on its assigned internal network by changing this setting.255.168. This includes overriding the default local certificate.0 to allow the road warrior to access all addresses in the range 192.168.0/255. if you wish to restrict the connected road warrior to a specific IP address such as 192.10.168.255. set the local network to 192.168. • Client software will need to be installed on road warrior systems.255.2.2. check the following list to assess whether it is the right choice: • Each connection can be routed to a different internal network.168. Enabled Select to activate the tunnel once it has been added.Smoothwall Advanced Firewall Administrator’s Guide IPSec Road Warriors Before creating a road warrior connection using IPSec.2.10/3 Accordingly.2.0. 2 Configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. Also note that the same advanced options that are available when configuring IPSec site-to-site VPNs are also available to IPSec road warriors.

Local ID value If you chose a User Specified ID type. see Advanced VPN Configuration on page 171. 3 Use compression Select to reduce bandwidth consumption (useful for low bandwidth connections). enter a local ID value. This is useful for compatibility with older VPN gateways. select one of the following options: To use the road warrior's certificate. For more information. Comment Enter a descriptive comment. This is recommended as it allows the road warrior to present any form of valid ID. for example: IPSec connection to Joe Blogg's on . Perfect Forward This enables the use of the PFS key establishment protocol. AH is not recommended. Authentication type Provides a choice of ESP or AH security during the authentication process. Remote ID type From the drop-down list. select the local ID type. see below. PFS is recommended for maximum security. Remote ID value Enter the value of the ID used in the certificate that the road warrior is expected to present.240. select Remote IP (or ANY if blank Remote IP). This will require more processing power. Recommended for optimal performance. 152 . authenticity and integrity of messages. AH – IP Authentication Header uses IP Protocol 51 and ensures authentication and integrity of messages. Authenticate by From the drop-down list. select to use the global preshared key as defined on the VPN > VPN > Global. This setting should be the same on both tunnel specifications of two connecting gateways. Preshared Key. VPN gateways must agree on the use of PFS. For further details. Because AH provides only authentication and not encryption. choose Certificate presented by peer. Authenticating by a named certificate is recommended for ease of management. Default local Certificate Subject is recommended for road warrior connections. ESP – Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality. ensuring that Secrecy previous VPN communications cannot be decoded should a key currently in use be compromised. Click Advanced and enter the following information: Setting Description Local certificate This is used in less standard X509 authentication arrangements. select it. Interface Used to specify whether the road warrior will connect via an external IP or an internal interface.Virtual Private Networking IPSec Road Warriors Setting Description Local ID type From the drop-down list. To use a certificate created by a different CA.

Click Add at the bottom of the page to add the tunnel to the list of current tunnels. This setting should be the same on both tunnel specifications of two connecting gateways. This setting should be the same on both tunnel specifications of two connecting gateways. thus reducing the threat of snooping attacks. This setting should be the same on both tunnel specifications of two connecting gateways. see Section 5. This setting should be the same on both tunnel specifications of two connecting gateways. AES offers faster and stronger encryption than 3DES. Phase 2 cryptographic algo This selects the encryption algorithm used for the second phase of VPN tunnel establishment.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Phase 1 cryptographic algo This selects the encryption algorithm used for the first phase of VPN tunnel establishment. 4 IKE lifetime Sets how frequently the Internet Key Exchange keys are re-exchanged.1 Introduction to Site to Site VPNs. For details on the operation of each advanced control. AES offers faster and stronger encryption than 3DES. The default and maximum value of 60 minutes is recommended. AES 128 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. Key tries This sets the maximum number of times the host will attempt to re-try the connection before failing. However. Key life This sets the duration that a set of keys can be used for. See Phase 1 hash algo for more information on the options. MD5 – A cryptographic hash function using a 128-bit key. 3DES – A triple strength version of the DES cryptographic standard using a 168-bit key. new encryption keys are generated. After the key-life value has expired. Phase 2 hash algo This selects the hashing algorithm used for the second phase of VPN tunnel establishment. See Phase 1 cryptographic algo for more information on the options. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility. Recommended for maximum security. The default value of zero tells the host to endlessly try to re-key a connection. Recommended for faster performance and compatibility. It is recommended for maximum security and performance. a non-initiating VPN gateway should not use a zero value because if an active connection drops. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. 153 . Phase 1 hash algo This selects the hashing algorithm used for the first phase of VPN tunnel establishment. SHA – Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. it will persistently try to re-key a connection that it can't initiate. Do not Rekey Turns off re-keying which can be useful for example when working with NAT-ed end-points. AES 256 – Advanced Encryption Standard replaces DES/3DES as the US government’s cryptographic standard. Note: The advanced settings of an IPSec road warrior tunnel operate in exactly the same manner as those for a site-to-site IPSec connection.

If applicable. Configure the following settings: Setting Description L2TP and SSL VPN client configuration settings Enter primary and secondary DNS settings. select the internal network that L2TP road warriors will be connected to. globally specified subnet. A road warrior certificate is typically created using the user's email address as the certificate ID. These DNS settings will be assigned to all connected L2TP road warriors and SSL VPN users. Creating a Certificate The first task when creating an L2TP road warrior connection is to create a certificate. For further information. Configuring L2TP and SSL VPN Global Settings To configure L2TP and SSL VPN global settings: 1 On the VPN > VPN > Global page.Virtual Private Networking Supported IPSec Clients Supported IPSec Clients Smoothwall currently recommends the use of the following third-party IPSec client applications for IPSec road warriors with Microsoft Operating Systems: • SafeNet SoftRemote LT • SafeNet SoftRemote 10 • SafeNet SoftRemote 9 Creating L2TP Road Warrior Connections This section covers the steps required to create an external road warrior connection using L2TP. see Creating a Certificate on page 134. Such connections have the following features: • All connections share the same.These WINS settings will be assigned to all connected L2TP road warriors and SSL VPN users. L2TP settings From the drop-down list. . 2 154 Click Save. • Very easy to configure. enter primary and secondary WINS settings. • Mostly supported by Microsoft operating systems with built-in support on Windows 2000 and XP.

3 L2TP client OS From the drop-down list. Click Add to create the L2TP tunnel specification and add it to the Current tunnels region.Smoothwall Advanced Firewall Administrator’s Guide Creating an L2TP Tunnel To create an external L2TP road warrior connection: 1 Navigate to the VPN > VPN > L2TP roadwarriors page. Comment Enter a descriptive comment. Username Enter a username for this connection. Advanced Click Advanced to access more options. For example: Joe Blogg's L2TP. choose this option. Here both ends are Certificate Authorities. The IP address must be a valid and available IP on the globally specified internal network. Enabled Select to activate the tunnel once it has been added. Local certificate From the drop-down list. Password Enter a password for the tunnel. Client IP Enter a client IP address for this connection in the Client IP field. 2 Click Advanced to display all settings and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. 155 . Authenticating by a named certificate is recommended for ease of management. select the L2TP client’s operating system. Again Re-enter the password to confirm it. select the default local certificate to provide the Advanced Firewall’s default local certificate as proof of authenticity to the connecting road warrior. select one of the following options: Certificate presented by peer – If the certificate was created by a different CA. Interface Select PRIMARY. Authenticate by From the drop down list. Common Name's organization certificate – The peer has a copy of the public part of the hosts certificate. and each has installed the peer’s public certificate.

To configure an iPhone-compatible tunnel: 1 On the VPN > VPN > Global page. select Apple (iPhone compatible). please be aware of the following limitation in IPSec preshared key (PSK) authentication mode: all connections from unknown IP addresses. 4 On the iPhone-compatible device. The IP address must be a valid and available IP on the globally specified internal network. Enabled Select to activate the tunnel once it has been added.Virtual Private Networking Creating L2TP Road Warrior Connections Configuring an iPhone-compatible Tunnel Advanced Firewall enables you to configure iPhone-compatible tunnels. Client IP Enter a client IP address for this connection. For example: CEO's iPhone. Username Enter a username for this connection. There is a workaround for subnet tunnels to unknown. enter a description of the tunnel. remote IPs but the IPSec subnets would have to use PSK authentication with the same shared secret as the iPhone-compatible device. and. you must: • not have any L2TP or IPSec road warriors. L2TP and SSL VPN client configuration Enter the primary and secondary DNS settings. navigate to Settings > General > Network > VPN. this means that if you want to create a tunnel between an iPhone-compatible device and Advanced Firewall. Again Re-enter the password to confirm it. as they use certificates for authentication • not have any IPSec subnet tunnels to unknown (blank) remote IPs. 5 Select Add VPN Configuration and configure the following settings: 156 Setting Description Description Enter a description for the tunnel. Advanced Firewall creates the tunnel and lists it in the Current tunnels area. L2TP client OS From the drop-down list. Comment Optionally. including IPSec and L2TP road warriors. Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings: Setting Description Name Enter a descriptive name for the tunnel. Authenticate by Preshared key (iPhone compatible) – Select this option to use the preshared key entered in step 1. In practice. Note: Before you start. Again – Re-enter the password to confirm it. in the case of PSK. Password Enter a password for the tunnel. Server Enter Advanced Firewall’s external IP address. the same secret. 3 Click Add. Configuring an iPhonecompatible tunnel entails: • setting a preshared key and configuring DNS and interface settings on the VPN > VPN > Global page • creating the tunnel on the VPN > VPN > L2TP roadwarriors page. configure the following settings: Setting Description IPSec Road Warrior (and L2TP) Preshared Key Preshared key – Enter a strong password which contains more than 6 characters. . settings 2 Click Save. must use the same authentication method.

one particular windows update is required for L2TP connections to function: • Q818043 – L2TP/IPSec NAT-T update. Information about this patch can be found at http:// support. Proxy Set to OFF. a road warrior must be using a Microsoft operating system which is covered by the Microsoft support lifecycle. the VPN cannot work. This does of course require that the other end of the VPN tunnel supports NAT-T. Using NAT-Traversal Passing IPSec traffic through any NATing device such as a router (or a separate firewall in front of the VPN gateway/client) can cause problems. VPNing Using L2TP Clients This section explains the configuration process for supported Microsoft operating systems. Note: Any IPSec VPN client connections from a local network behind Advanced Firewall that connect to another vendor's VPN gateway will also need to use NAT-T rather than Protocol 50 for the reasons stated above.microsoft.Smoothwall Advanced Firewall Administrator’s Guide 6 Setting Description Account Enter the username as entered in step 2. L2TP Client Prerequisites To connect to an L2TP tunnel. Connecting Using Windows XP/2000 Users of Windows XP or Windows 2000 should first ensure that they are running the latest service release of their operating system. Both SafeNet SoftRemote and SSH Sentinel support this mode. RSA SecurID Set to OFF.com/?kbid=818043 The above update will already be installed if you are running Windows XP SP2 or above. Send All Traffic Set to ON on for routing to other VPNs. or Windows 2000 SP4 or above. IPSec normally uses Protocol 50 which embeds IP addresses within the data packets – standard NATing will not change these addresses. NAT-T uses the UDP Protocol instead of Protocol 50 for IPSec VPN traffic – UDP is not affected by the NAT process. see http://windowsupdate.microsoft. and the recipient VPN gateway will receive VPN packets containing private (non-routable) IP addresses. Advanced Firewall can operate in IPSec NAT Traversal (NAT-T) mode. Please use the Microsoft Windows Update facility to ensure compliance. The tunnel is now ready for use. Specifically. Select Save to save the tunnel configuration. not a NATing feature. Note: NAT-T is a VPN gateway feature. In this situation.com/ 157 . as do the vast majority of other modern VPN gateway devices. Secret Enter the PSK as configured in step 1. However. Password Enter the password as entered in step 2.

Installing an L2TP Client The first step in the connection process is to run the L2TP Client Wizard. Note: There is an alternative configuration method that uses a command line tool. When started. To install the L2TP client: 1 Run the L2TP Client Wizard on the road warrior system. Assuming the hotfix is installed. the L2TP Client Wizard first ensures that the Q818043 hotfix is installed. see Advanced VPN Configuration on page 171. the program issues a warning. The following screen is displayed: 158 . 2 View the license and click Next to agree to it. If it is not. It is a freely distributable application that automates much of the configuration process. it will then guide the user through the steps of configuring the connection to the Advanced Firewall system. For details. thus enabling an L2TP connection to be configured as part of a logon script.Virtual Private Networking VPNing Using L2TP Clients • One further requirement is that the road warrior user must be a member of the Administrator group in order to install the necessary certificates into the Local Computer certificate store. You can download it from here.

The following screen is displayed: 5 Ensure that the Launch New Connection Wizard option is selected and click Install. typically saved as *. The following dialog opens: 4 Click Browse to locate and select the road warrior's host certificate file. Click Next.p12. as exported during the certificate creation process. This must be a PKCS#12 file. Enter the password and click Next.Smoothwall Advanced Firewall Administrator’s Guide 3 Click Browse and open the CA certificate file as exported during the certificate creation process. 159 .

Virtual Private Networking VPNing Using L2TP Clients 6 The wizard install the certificates. 160 . The following screen is displayed: 8 Select Connect to the network at my workplace and click Next. The Microsoft New Connection Wizard is launched. Click Finish. 7 Click Next.

The following screen is displayed: 11 Enter Advanced Firewall’s host name or IP address and click Next.Smoothwall Advanced Firewall Administrator’s Guide 9 Select Virtual Private Network connection and click Next. 161 . The following screen is displayed: 10 Enter a name for the connection and click Next.

To configure SSL VPN settings: 1 Browse to the VPN > VPN > Global page. Prerequisites • An installed default local certificate. Only UDP port 500 and UDP port 4500 and/or ESP should flow from the road warrior when using a Smoothwall L2TP over an IPSEC connection. 162 . Any alerts concerning this kind of traffic can be safely ignored. Ensure that the tunnel is enabled. any user account able to authenticate to the directory service configured. This protocol is preferred for compatibility with filters between the client and the server.Virtual Private Networking VPNing with SSL 12 Click Finish. Using light-weight clients. plus the list of local users gain easy and secure VPN access to your network. the standard HTTPS port. The Connect dialog box is displayed 13 Enter the username and password of the road warrior and click Connect. In the SSL VPN settings area. see Setting the Default Local Certificate on page 137 for more information. and unblocked communication permitted. Transport protocol Select the network protocol. Configuring VPN with SSL The following section explains how to configure Advanced Firewall for VPNing with SSL. UDP (1194) – Select to run the SSL VPN connection over UDP on port 1194. The following options are available: TCP (HTTPS) – Select to run the SSL VPN connection over TCP on port 443. Note: Certain anti-malware and worm detection software may generate alerts when L2TP client connections are first established. All your users need to know is their Advanced Firewall user account name and password. VPNing with SSL Advanced Firewall supports OpenVPN SSL connections. This protocol is preferred for performance. which can be easily configured and distributed. configure the following settings: Setting Description Enable SSL VPN Select to enable SSL VPN on Advanced Firewall.

if dynamic DNS is used. this setting is on by default.110. If set. at the top of the page. Note: Because connected clients are placed on a virtual network. Managing Group Access to SSL VPNs By default all groups are allowed to use SSL VPN. the gate way(s) will be used by the SSL VPN clients as the connecting gateway host. is taken by any existing network. add the user to the built-in network configuration operator group.Smoothwall Advanced Firewall Administrator’s Guide Setting Description SSL VPN network address Accept the default network address or enter a new one. Note: For systems which have never had VPN configured. 10. which is generally better as it enforces the policy on the server end. get an IP address on a virtual interface. TLS authentication can mitigate in a denial of service condition. Advanced Firewall can force all connected clients to route through it.0/24. the primary external IP address of the gateway will be used. click Restart to apply the settings. a client is configured to use Advanced Firewall’s primary external IP address as its gateway. 163 . Force clients to use Select to configure Advanced Firewall to force the client to send all its SSL VPN as gateway traffic through the SSL VPN connection. For systems which have had VPN configured. The IP range must not be one not used for any physical network. However. you have the option to set one or more different gateways. Managing SSL Road Warriors Managing SSL road warriors entails managing group access to SSL VPNs and managing custom scripts for SSL VPNs. all machines they access must also have a route to this network. this setting is off by default. If blank. when they connect. Enter one IP address or hostname per line. Click Save to save the settings. to ensure that a user gets full VPN connectivity. If the default subnet. See the sections that follow for more information. SSL VPN netmask Accept the default network netmask or enter a new one. Therefore. SSL VPN client gateway(s) Usually. Advanced Firewall enables you to stop one or more groups from using SSL VPNs by disabling access. Enable TLS authentication Select this setting to apply Transport Layer Security (TLS) authentication. within Advanced Firewall. This is good for load balancing over multiple links. Note: On Windows Vista. and. SSL VPN users. Choose random gateway 2 Select this setting to enable clients to connect on a random address when multiple gateways are defined. this will not work. configure this setting to use range not taken on the network.

Click Select. accept the default settings to apply any uploaded scripts to all groups. select the group to which the script(s) will be specifically deployed. Removing Scripts To remove scripts: 1 Browse to the VPN > VPN > SSL roadwarriors page. Advanced Firewall displays SSL VPN group settings. from the Select group drop-down list. 2 In the Select group area.Virtual Private Networking Managing SSL Road Warriors To disable a group from using SSL VPN: 1 Browse to the VPN > VPN > SSL roadwarriors page. Click Upload preconnect script. 4 Repeat the steps above for any other groups you want to disable from using SSL VPN. 164 . Uploading Scripts To upload scripts: 1 Browse to the VPN > VPN > SSL roadwarriors page. accept the default settings to remove any uploaded scripts from all groups. 3 De-select the Enable option and click Save. in the Custom client scripts area beside the Upload Preconnect Script text box. Advanced Firewall disables access. Click Select. or. 5 Repeat the steps above to upload connect and disconnect scripts as required. select the group from which the script(s) will be specifically removed. Managing Custom Client Scripts for SSL VPNs Advanced Firewall enables you to upload or remove preconnect. 2 From the Select group drop-down list. 3 To upload a preconnect script. from the Select group drop-down list. displays the size of the script and a message confirming a successful upload. You can also deploy scripts based on groups. connect and disconnect scripts which can carry out custom commands before or after a VPN comes up or goes down. 2 In the Select group area. select the group you want to disable from using SSL VPN and then click Select. or. 4 When prompted. click Browse. Advanced Firewall uploads the script. browse to and select the script.

Archives can contain SSL VPN settings and. custom client scripts. click Remove preconnect script. see Configuring VPN with SSL on page 162. When Advanced Firewall prompts you. see Chapter 8. See Configuring SSL VPN on Internal Networks on page 165 for more information on internal use. Generating SSL VPN Archives You can generate an archive of the SSL VPN settings which can be distributed to users. 165 . Making the SSL VPN Client Archive Available on page 85. For information on how. you can generate the archive now. in the Additional SSL VPN client internal interfaces area.Smoothwall Advanced Firewall Administrator’s Guide 3 To remove a preconnect script. For more information. distribute the archive to users who require secure access to the internal wireless interface. save the file in a suitable location. You can use the Advanced Firewall portal to distribute the archive. Click Generate client archive. Note: An archive can be used for both internal and external use. select the interface on which to deploy the SSL VPN. configure the SSL VPN settings. Advanced Firewall generates an archive containing the client software and the VPN settings required. See Configuring VPN with SSL on page 162 for more information on external use. Advanced Firewall generates an archive containing the client software and the VPN settings required and prompts you to save the file in a suitable location. Advanced Firewall generates an archive containing the client software and the VPN settings required. To generate an SSL client archive: 1 On the VPN > VPN > Global page. 3 If you want to include scripts in the archive. For information on how. You can use the Advanced Firewall portal to distribute the archive. 2 Click Advanced and. 4 Once saved. 3 Click Generate client archive. Note: The same archive can be used for both internal and external use. browse to the VPN > VPN > SSL roadwarriors page and configure the scripts. Configuring SSL VPN on Internal Networks Advanced Firewall’s SSL VPN functionality can be deployed to secure internal wireless interfaces. 4 Advanced Firewall removes the script and displays a message confirming a successful removal. save the file in a suitable location. See Configuring and Connecting Clients on page 166 for information on how to install the SSL VPN software on clients. see Managing Custom Client Scripts for SSL VPNs on page 164. For more information. see Configuring VPN with SSL on page 162. see Chapter 8. To configure SSL VPN on an internal network: 1 On the VPN > VPN > Global page. configure the SSL VPN settings. See step 4 for what to do next. 5 Repeat the steps above to remove connect and disconnect scripts as required. Making the SSL VPN Client Archive Available on page 85. 4 Click Generate client archive. When Advanced Firewall prompts you. 5 Once saved. distribute the archive to those users who will be using SSL VPNing. in the Custom client scripts area beside the Upload Preconnect Script text box. 2 If you do not want to include custom scripts in the archive. optionally.

The following screen opens: 3 Read the license and click I agree to continue. 166 . see Configuring VPN with SSL on page 162. Installing the Software To install the SSL VPN client software: 1 Extract the client archive. The following screen opens: 2 Click Next to continue.exe to start the installation wizard. to a suitable location and double-click on Smoothwall-SSL-OpenVPN-client. and connect using an SSL VPN connection.Virtual Private Networking Managing SSL Road Warriors Configuring and Connecting Clients The following sections explain how to install the SSL VPN client software.

Click Install to continue. The following screen opens: 6 Click Continue Anyway. 167 . The following screen opens: 5 Accept the default destination folder or click Browse to select a different destination.Smoothwall Advanced Firewall Administrator’s Guide The following screen opens: 4 Accept the default components and click Next to continue.

The following screen opens: 8 Click Finish to complete the installation. Password Enter the password belonging to the account. Opening an SSL VPN Connection To open an SSL VPN connection: 1 In the system tray.Virtual Private Networking Managing SSL Road Warriors The following screen opens: 7 Click Next to continue. The following dialog box is displayed: 2 Configure the following settings: 168 Setting Description Username Enter the name of the user account to be used. right click on OpenVPN GUI and select Connect. .

Smoothwall Advanced Firewall
Administrator’s Guide
3

Click OK. The SSL VPN connection is opened.

Closing an SSL VPN Connection
To close an SSL VPN connection:
1

In the system tray, right click on OpenVPN GUI and select Disconnect.

VPN Zone Bridging
In order to permit or deny inbound and outbound access to and from a site-to-site VPN tunnel,
ensure that appropriate zone bridging rules are configured.
L2TP road warriors and SSL VPNs require zone bridging rules that bridge the interface. IPSec road
warriors also require zone bridging rules, and share their zone bridging configuration with IPSec
subnets. For more information, see Chapter 6, Configuring Inter-Zone Security on page 59.

Secure Internal Networking
This part of the manual explains how Advanced Firewall can be used to provide secure internal
networking using VPN technology.
An internal VPN capability can be useful in many situations, a few examples of typical scenarios are
given below:

Secure wireless access – Commonly used wireless access protocols offer relatively weak levels of
security, thus allowing potential intruders to directly access and intercept confidential data on an
organization’s internal network. Advanced Firewall can ensure secure wireless access by providing
an additional interface as an internal VPN gateway. By attaching a wireless access point to this
interface, wireless clients can connect and create a secure tunnel to the desired internal network.
Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access
to any network resource.

Hidden network access – It is possible to create a hidden network that can only be accessed via a
secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed
by an exclusively authenticated member of staff. To do this, create a network that is not bridged to
any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the
hidden network.
There is no complicated configuration process for creating such internal VPNs, the facility is provided
by globally nominating an internal VPN interface and creating tunnels specifying it as its interface.

Creating an Internal L2TP VPN
To create an internal L2TP VPN connection:
1

Navigate to the VPN > VPN > Global page.

2

In the L2TP settings area, from the L2TP client internal interface drop-down list, choose an
internal network interface.

3

Optionally, click Advanced and configure the following settings:
Setting

Description

Enable NATTraversal

NAT-T is enabled by default and allows IPSec clients to connect from behind
NATing devices.
In some advanced and unusual situations, however, this feature may prevent
connections, therefore, NAT-T can be disabled.

169

Virtual Private Networking
Secure Internal Networking

Setting

Description

Enable Dead
Peer Detection

Used to activate a keep-alive mechanism on tunnels that support it.
This setting, commonly abbreviated to DPD, allows the VPN system to almost
instantly detect the failure of a tunnel and have it marked as Closed in the control
page.
If this feature is not used, it can take any time up to the re-keying interval
(typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec
implementations support this feature, it is not enabled by default.
In setups consisting exclusively of Advanced Firewall VPN gateways, it is
recommended that this feature is enabled.

Copy TOS (Type
Of Service) bits
in and out of
tunnels

When selected, TOS bits are copied into the tunnel from the outside as VPN
traffic is received, and conversely in the other direction. This makes it possible
to treat the TOS bits of traffic inside the network (such as IP phones) in traffic
shaping rules within Traffic and traffic shape them.
If this option is not selected, the TOS bits are hidden inside the encrypted tunnel
and it is not possible to traffic shape VPN traffic.
Note: There is a theoretical possibility that enabling this setting can be used to
spy on traffic

4

Click Save.

Note: We advise you to limit any zone bridging from the nominated interface to other interfaces.
Tunnels connecting to the nominated additional interface will be assigned an IP address on the L2TP
client internal interface, as shown in the L2TP settings region.
If a zone bridge is created between the additional nominated interface and the L2TP client interface,
it allows the VPN to be circumvented and thus limits its usefulness.
5

Create a certificate for the L2TP client. See Creating a Certificate on page 134.

6

Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings:
Setting

Description

Name

Enter a descriptive name for the tunnel.

Enabled

Select to activate the tunnel once it has been added.

Client IP

Enter a client IP address for this connection. The IP address must be a valid and
available IP on the globally specified internal network.

Username

Enter a username for this connection.

Password

Enter a password for the connection.

Again

Re-enter the password to confirm it.

Authenticate
by

To dedicate this connection to a specific user, choose the user’s certificate from
the drop-down list.
To allow any valid certificate holder to use this tunnel, choose Certificate
provided by peer option.
If your organization anticipates supporting many road warrior connections,
authenticating by a specific certificate is recommended for ease of
management.

L2TP client OS From the drop-down list, select the L2TP client's OS.
Comment
7
170

Enter a descriptive comment.

Click Advanced and, from the Local certificate drop-down list, select Default.

Smoothwall Advanced Firewall
Administrator’s Guide
8

Click Add. Advanced Firewall lists the tunnel in the Current tunnels area.
To configure client access to the L2TP tunnel, see Installing an L2TP Client on page 158.

Advanced VPN Configuration
The following sections explain how and when you might want to use non-standard configurations of
CAs, certificates and tunnel definitions to:

Allow sites to autonomously manage their own road warriors

Create VPN links between co-operating organizations

Create VPN hubs that link networks of networks.

Multiple Local Certificates
In some instances, it may be desirable to install multiple local certificates that are used to identify the
same host. There are a number of situations, where this might be desirable:

Autonomous management of road warrior tunnels from multiple sites.

Autonomous management of site-to-site tunnels from multiple sites.
Multiple local certificates are typically used to de-centralize VPN management in larger networks. For
instance, a VPN could be used to create a WAN (Wide Area Network) between three head offices of
an multinational company. Each head office must be responsible for its own VPN links that connect
its regional branches to its head office, as otherwise there would be a reliance on a single set of
administrators in one country / time zone preparing certificates for the entire organization.
Using the above example, each head office VPN gateway could utilize two local IDs (certificates):

Country head office ID – This ID would be used by a head office to identify itself to head offices from
other countries, to form VPN tunnels that make up the international WAN.

Head office ID – This ID would be used by a head office to identify itself to other domestic offices, so
that it can manage VPN tunnel connectivity within its own region.
The same concept can be applied to any situation where autonomous VPN management is required.
To continue the above example, many of the offices within one particular country require a number
of road warrior users to connect to their local networks. In this instance, a branch office VPN gateway
could utilize two local IDs (certificates):

Regional branch office ID – This ID would be used by a branch office to identify itself to the head office
and other branch offices that make up the country-wide WAN.

Branch office ID – This ID would be used by a branch office to identify itself to its local road warriors,
so that it can manage road warrior connectivity to its own branch.

Creating Multiple Local Certificates
This example will demonstrate how to delegate VPN management from an unconfigured master
Advanced Firewall system to an unconfigured secondary Advanced Firewall system. The secondary
Advanced Firewall system will be responsible for managing site-to-site and road warrior connections
within its own geography.
Firstly, we must create a tunnel to link the master Advanced Firewall to the secondary Advanced
Firewall.
Since this example covers configuration from scratch, you must follow the instructions from the step
most appropriate to your current level of VPN connectivity.
1

On the master system, navigate to the VPN > VPN > Certificate authorities page.

2

Create a local Certificate Authority, see Creating a CA on page 131.

171

Virtual Private Networking
Advanced VPN Configuration
3

Create signed certificates for the master and secondary Advanced Firewall systems, see Managing
Certificates on page 134.

4

Install the master signed certificate as the master Advanced Firewall's default local certificate, see
Setting the Default Local Certificate on page 137.

5

Create the tunnel specification to the secondary Advanced Firewall system, see Site-to-Site VPNs –
IPSec on page 138.

6

Export the secondary Advanced Firewall's signed certificate using the PKCS#12 format, see
Exporting Certificates on page 135.

7

Export the master Advanced Firewall's CA certificate in PEM format, see Exporting the CA Certificate
on page 132.
The remaining series of configuration steps are all carried out on the secondary Advanced Firewall
system, firstly to create the primary site-to-site link.
To create the primary site-to-site link:

1

On the secondary system, navigate to the VPN > VPN > Certificate authorities page.

2

Import the CA certificate on the secondary Advanced Firewall, see Importing Another CA's Certificate
on page 133.

3

Import the signed certificate on the secondary Advanced Firewall system, see Importing a Certificate
on page 136.

4

Install the signed certificate as the default local certificate, see Setting the Default Local Certificate on
page 137.

5

Create the tunnel specification to the master Advanced Firewall system, with Local certificate set to
Default see Site-to-Site VPNs – IPSec on page 138.

6

Test the VPN connection.
The next step is to create an additional CA on the secondary Advanced Firewall system. This
additional CA will be used to create another local certificate for the secondary Advanced Firewall
system, as well as certificates for any further site-to-site or road warrior connections that it will be
responsible for managing.
To create an additional CA on the secondary Advanced Firewall system:

1

On the secondary system, navigate to the VPN > VPN > Certificate authorities page.

2

Create a new local Certificate Authority, see Creating a CA on page 131.

3

Create a new signed certificate for the secondary Advanced Firewall system (this will be used as the
secondary Advanced Firewall's second local certificate, see Creating a Certificate on page 134.

4

Create a new signed certificate for any host whose VPN connectivity will be managed by the
secondary Advanced Firewall system.

5

Create a site-to-site or road warrior tunnel specification, and choose the second signed certificate
(created by the previous step) as the Local certificate.

6

Export the local CA and signed certificate created by step 4 to any host whose VPN connectivity will
be managed by the secondary Advanced Firewall system.

7

Create the remote tunnel specification (this could be a road warrior client or another site-to-site
gateway).

Public Key Authentication
It is possible to authenticate a VPN tunnel by exchanging each host's public key with the other.
During authentication, each host uses the other host's public key to decrypt the (private key
encrypted) certificate it will be passed as identity credentials.
This configuration does not require the CA that created either host's certificate to be known to either
VPN gateway. This can be useful in many ways:

172

Simplified internal management, using certificates created by an external Certificate Authority.

Smoothwall Advanced Firewall
Administrator’s Guide

Tunnelling between two separate organizations using certificates created by different (possibly
external) CAs.

Alternative scheme to allow both ends of the tunnel to create their own CA and default local
certificates. This would enable each VPN gateway to manage their own site-to-site and road warrior
connections. This achieves the same result as the previous technique described in the Multiple local
certificates section.

Note: The use of public key authentication should not be considered as a direct replacement for a stringent
X509 based authentication setup. While public key authentication does use some of the same
technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As
such, appropriate precautions should be taken when considering implementing this alternative
authentication method.

Configuring Both Ends of a Tunnel as CAs
This configuration example uses public key authentication to connect two Advanced Firewall
systems, each with their own CA so that they can manage their own site-to-site and road warrior
connections.
The following assumptions have been made:

Two Advanced Firewall systems.

Each Advanced Firewall has its own CA.

Each CA has created a signed certificate for its own local Advanced Firewall system.
To create the tunnel specifications:

1

On both systems, navigate to the VPN > VPN > Certificates page.

2

Export the local certificates from both Advanced Firewall systems using the PEM format, see
Exporting Certificates on page 135.

3

Import each PEM certificate on the opposite Advanced Firewall system, see Importing a Certificate
on page 136.

4

Create an IPSec site-to-site tunnel specification on the first Advanced Firewall system, and select the
second Advanced Firewall system's host certificate in the Authenticate by drop-down list.

5

Create an IPSec site-to-site tunnel specification on the second Advanced Firewall system, and select
the first Advanced Firewall system's host certificate in the Authenticate by drop-down list.
The tunnel can now be established and authenticated between the two Advanced Firewall systems.
In addition, each Advanced Firewall system is able to autonomously manage its own site-to-site and
road warrior connections by using its own CA to create additional certificates.

VPNs between Business Partners
To create a VPN between two separate organizations (such as two firms working together as
partners), it is most likely that an IPSec tunnel will be required. This may be to a non-Advanced
Firewall system, so a degree of co-ordination will be required to decide upon a compatible tunnel
specification.
This example uses certificates created by an external, commercial CA so that each organization can
authenticate certificates presented by the other using a CA that is independent of both organizations.
This configuration example assumes the following:

Local Advanced Firewall system.

Host certificates created by the same commercial CA.

Host certificate, Certificate A created by the commercial CA for the Advanced Firewall system.

Host certificate, Certificate B created by the commercial CA for the other organization’s VN gateway.
173

Virtual Private Networking
Advanced VPN Configuration
Firstly, import the certificate created for the local Advanced Firewall system (Certificate A).
To import the certificate:
1

On the local system, navigate to the VPN > VPN > Certificates page.

2

Import Certificate A, see Importing a Certificate on page 136.
Next, import the commercial CA's certificate:

1

On the system, navigate to the VPN > VPN > Certificates page.

2

Import the CA's certificate according to the file format it was supplied in, see Importing Another CA's
Certificate on page 133.
Next, configure the local tunnel specification in co-operation with the other organization. This is most
likely to be an IPSec site-to-site connection, though it is possible that you could connect to their
network as a road warrior. In either case, full consultation between both organizations is required to
decide on the configuration options to be used on the respective VPN gateways.
Follow these steps to create a site-to-site connection:

1

Connect to Advanced Firewall on the Advanced Firewall system and navigate to the VPN > VPN >
IPSec subnets page.

2

In the local tunnel specification, choose Default local cert subject or Default local cert subject
alt.name from the Local ID type drop-down list. However, it may be necessary to use user specified
values if the other VPN gateway is not directly compatible with Advanced Firewall's communication
of certificate subjects.

3

Choose Certificate A from the Local certificate drop-down list to ensure that this tunnel overrides any
default local certificate that might be configured.

4

Choose Certificate provided by peer from the Authenticate by drop-down list. This will ensure that
Advanced Firewall will authenticate Certificate B when is presented by the other organization’s VPN
gateway.

5

Choose the remote ID type from the Remote ID type drop-down list that was entered during the
creation of Certificate B using the commercial CA.

6

Confer with the other organization regarding all other configuration settings and ensure that they
authenticate the tunnel using the CA's certificate and Certificate A as provided by Advanced Firewall
as connection time.

Extended Site to Site Routing
A useful feature of Advanced Firewall is its ability to use the VPN as a means of linking multiple
networks together by creating a centralized VPN hub. The hub is used to route traffic to between
different networks and subnets by manipulation of the local and remote network settings in each
tunnel specification.
This potentially allows every network to be linked to every other network without the need for a fully
routed network of VPN tunnels, i.e. a tunnel from every site to every other site. A fully routed network
can be awkward to configure and maintain.
This configuration example assumes the following:

Site A – Local network: 192.168.10.0/255.255.255.0 – Tunnel A connects to Site B.

Site B – Local network: 192.168.20.0/255.255.255.0 – Tunnel A connects to Site A, Tunnel
C connects to Site C.

Site C – Local network: 192.168.30.0/255.255.255.0 – Tunnel C connects to Site B.
The advantage of this approach is that only one tunnel is required for each remote network. The
disadvantage is that the central VPN gateway is now routing traffic not destined for it, thus it requires
additional resources for its bandwidth. Also, the central VPN creates a single point of failure in the
network. An improved approach would incorporate backup tunnel definitions that could be used to
create a fail-over VPN hub elsewhere on the network.

174

Smoothwall Advanced Firewall
Administrator’s Guide

Site A Tunnel Definition
A definition for Tunnel A (connecting Site A to Site B) is required. Use the following local and remote
network settings:

Local network – 192.168.10.0/255.255.255.0

Remote network – 192.168.0.0/255.255.0.0
With this configuration, any traffic destined for the Site B network (any address in the range
192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the
definition of the remote end of Tunnel A.
Any traffic destined for the Site C network (any address in the range 192.168.30.0 to
192.168.30.255) will also be routed to Site B, as this range also falls within the definition of the
remote end of Tunnel A. However, this traffic still needs to be forwarded to Site C to reach its
destination – Tunnel C from Site B will ensure this.

Site B Tunnel Definitions
First, a definition for Tunnel A (connecting Site B to Site A) is required. Use the following local and
remote network settings:

Local network – 192.168.0.0/255.255.0.0

Remote network – 192.168.10.0/255.255.255.0
With this configuration, any traffic destined for the Site A network (any address in the range
192.168.10.0 to 192.168.10.255) will be routed to Site A, as this range falls within the
definition of the remote end of Tunnel A.
Next, a definition for Tunnel C (connecting Site B to Site C) is required. Use the following local and
remote network settings:

Local network – 192.168.0.0/255.255.0.0

Remote network – 192.168.30.0/255.255.255.0
With this configuration, any traffic destined for the Site C network (any address in the range
192.168.30.0 to 192.168.30.255) will be routed to Site C, as this range falls within the
definition of the remote end of Tunnel C.

Site C tunnel definition
A definition for Tunnel C (connecting Site C to Site B) is required. Use the following local and remote
network settings:

Local network – 192.168.30.0/255.255.255.0

Remote network – 192.168.0.0/255.255.0.0
With this configuration, any traffic destined for the Site B network (any address in the range
192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the
definition of the remote end of Tunnel C.
Any traffic destined for the Site A network (any address in the range 192.168.10.0 to
192.168.10.255) will also be routed to Site B, as this range also falls within the definition of the
remote end of Tunnel C. However, this traffic still needs to be forwarded to Site A to reach its
destination – Tunnel A from Site B will ensure this.

Managing VPN Systems
The following sections document how to:

Control VPNs

Open and close tunnels

Monitor and report tunnel activity
175

3 Click Save. 2 Click Restart in the Manual control region. This allows road warriors to tunnel in without having to wait for the system to be started. Manually Controlling the VPN System The following sections explains how to start. 2 In the Automatic control area. restart. Starting/Restarting the VPN system To start or restart the VPN system: 1 Navigate to the VPN > VPN > Control page. select Start VPN sub-system automatically. 176 . To configure automatic start up: 1 Navigate to the VPN > VPN > Control page. It also allows site-to-site tunnels that are initiated on the Advanced Firewall system to automatically negotiate a site-to-site connection. Automatically Starting the VPN System Advanced Firewall’s VPN system can be set to automatically start when the system is booted. stop and view the status of the VPN system.Virtual Private Networking Managing VPN Systems • Display tunnel logging information • Update tunnel licensing.

• Remote IP – The IP address of the other end of the tunnel. 2 Click Refresh in the Manual control region. • Control: 177 . • Control: • Up – Open the tunnel connection • Down – Close the tunnel connection. The information displayed is: • Name – The name given to the tunnel. Viewing and Controlling Tunnels All configured tunnels can be viewed and controlled from the VPN > VPN > Control page. no tunnels can be connected. There are two possible system statuses: • Running – The VPN system is currently operational. IPSec Subnets Site-to-site IPSec subnet connections are shown in the IPSec subnets region of the VPN > VPN > Control page. • Internal IP – The IP address of the local tunnel end. The information displayed is: • Name – The name given to the tunnel. The information displayed is: • Name – The name given to the tunnel. Viewing the VPN system status To view the VPN system status: 1 Navigate to the VPN > VPN > Control page. no communication across the tunnel can be made. L2TP Road Warriors L2TP road warrior connections are shown in the L2TP Road Warriors region of the VPN > VPN > Control page. There are two possible tunnel statuses: • Open – The tunnel is connected. • Closed – The tunnel is not connected. 2 Click Stop from the Manual control region. tunnels can be connected.Smoothwall Advanced Firewall Administrator’s Guide Stopping the VPN system To stop the VPN system: 1 Navigate to the VPN > VPN > Control page. • Stopped – The VPN system is not currently operational. 3 View the current status from the Current status information field. • Remote IP – The IP address of the other end of the tunnel. • Control: • Up – Open the tunnel connection • Down – Close the tunnel connection. IPSec Road Warriors IPSec road warrior connections are shown in the IPSec road warriors region of the VPN > VPN > Control page. communication across the tunnel can be made.

VPN Tutorials The following tutorials cover the creation of the main types of VPN tunnels.Virtual Private Networking VPN Tutorials • Up – Open the tunnel connection • Down – Close the tunnel connection.The following networks are to be routed together via a VPN tunnel: We will use Preshared Key authentication initially.e. • External IP – The IP address of the other end of the tunnel. . Example 1: Preshared Key Authentication This first example begins with a simple two network VPN using shared secrets. • Internal IP – The IP address of the local tunnel end. leave it at its default value: 178 Parameter Description Name Tunnel 1 Local network Set to the opposite end’s remote network value. Configuring Network A There is no need for a CA or any certificates. VPN Logging VPN log entries can be found in the Logs and reports > Logs > IPSec page. i. The information displayed is: • Username – The name given to the tunnel. • Control • Up – Open the tunnel connection • Down – Close the tunnel connection. the configuration settings in an example builds on that of the previous. • Internal IP – The IP address of the local tunnel end. Where a parameter is not listed. This tunnel we call Tunnel 1. This is the easiest to setup. SSL Road Warriors SSL road warrior connections are shown in the SSL Road Warriors region of the VPN > VPN > Control page. On the Create a tunnel with the following characteristics. The examples build on each other.

1 Remote network 192. If this does not happen please refer to Appendix C. To actually test that the VPN is routing.0/24 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Preshared Key Preshared Key loudspeaker Preshared Key again loudspeaker Creating a Zone Bridge In order for traffic to flow down the tunnel. Testing Restart the VPN system on both ends.0/24 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Preshared Key Preshared Key loudspeaker Preshared Key again loudspeaker All other settings can be left at their defaults. Because both ends are set as initiators.0.Smoothwall Advanced Firewall Administrator’s Guide Parameter Description Local ID type Local IP Remote IP or hostname 200. the tunnels should come up immediately. use the User specified IP address as the remote system ID type and the remote system external IP in the Remote system ID Value. Local ID type Local IP Remote IP or hostname 100. Configuring Inter-Zone Security on page 59. make the rule bidirectional.0. create a zone bridge between the local network and the IPSec interface. see Chapter 6. For more information. Note: When configuring multiple PSK-based tunnels. If you want traffic to flow in both directions. Configuring Network B Here a single tunnel is created: Parameter Description Name Tunnel 1 Local network Set to the opposite end’s remote network value.0.0. ping a host on the remote network from a machine on the local one.168.1 Remote network 192.0.12. you must create a zone bridge. 179 . You should also be able to connect to servers and desktops on the remote network using your standard tools. Troubleshooting VPNs on page 331.168. To create the zone bridge: 1 On the Networking > Filtering > Zone bridging page.

You will need to enter the passphrase to encrypt this certificate with. and create the local certificate. Choose the Network A Local Cert certificate to be the Default local certificate. and then export the Network B Cert certificate in PKCS#12 format.com Common Name Network B Cert Organization My Company Ltd Create both certificates. we will enter My Company Ltd in all Organization fields on the certificates we create. Next you should export this certificate in PEM format. enter values appropriate to your organization: Parameter Description Common Name Network A Cert Auth Organization My Company Ltd From now on. and save it on the local workstation’s hard disk. You should. see Example 1: Preshared Key Authentication on page 178. We will call this file ca. It requires ID information: Parameter Description ID Type Host & Domain name ID Value tunnela.mycompany. You will need this file later. of course. We will Restart the VPN shortly to make this change active. 180 . Switch to the certificates page. This time we will improve the setup by using x509 authentication instead of PSK.Virtual Private Networking VPN Tutorials Example 2: X509 Authentication In this example. We will call this file tunnelb. Begin by going to the Authorities page and setting up the CA.com Common Name Network A Local Cert The peer (the Network B machine) needs a certificate too: Parameter Description ID Type Host & Domain name ID Value tunnelb. the same network as used in Example 1 will be used. Configuring Network A Network A will be configured to be the Certificate Authority in the system. In this example. and press Save. enter it in both boxes. we will list only the required fields.pem.p12. Now onto the tunnels page.mycompany.

To import the certificates: 1 On the Certificate authorities page.0/24 Remote ID type Host & Domain name Remote ID value tunnel. create a zone bridge between the local network and the IPSec interface. import the ca. Remember to input the passphrase used to create the export file in both boxes. For more information.12. The ID is the same as the Certificate ID. see Chapter 6. Local ID type Default local cert subject alt. Examine the log for telltale messages. If you want traffic to flow in both directions.mycompany. restart both ends of the tunnel.Smoothwall Advanced Firewall Administrator’s Guide The tunnel specification is a little more complex. 2 On to the certificates page. The tunnel configuration should look like this: Parameter Description Name Tunnel 1 Local network Set to the opposite end's remote network value.0.0/24 Remote ID type Host & Domain name Remote ID value tunnelb. 3 Chose the certificate. name Remote IP or hostname 200.0. import the tunnelb.0. Network B Cert as the Default local certificate and click Save.com Authenticate by Certificate presented by peer Creating a Zone Bridge In order for traffic to flow down the tunnel. On the Networking > Filtering > Zone bridging page. Configuring Inter-Zone Security on page 59.com Authenticate by Certificate presented by peer Add the tunnel. If the tunnel fails to come up.0.168. the most likely cause is a mismatch of IDs.1 Remote network 192. you must create a zone bridge. Configuring Network B The first step is to import the certificates.mycompany.p12 file you created earlier. Here it is: Parameter Description Name Tunnel 1 Local network Set to the opposite end's remote network value. Local ID type Default local cert subject alt. name Remote IP or hostname 100.pem file. Testing As before.1 Remote network 192. 181 . Check the IDs in the certificates by clicking on them in the certificate page.168. make the rule bi-directional.0.

name Remote IP or hostname 250.mycompany.Virtual Private Networking VPN Tutorials Example 3: Two Tunnels and Certificate Authentication We will now add an additional system. In Extended Site to Site Routing on page 174.0. We will use this technique to allow Network B to route to Network C.0.13.0.168. Now we create a new tunnel to Advanced Firewall C: 182 Parameter Description Name Tunnel 2 Local subnet 192. We want Network C to be able to access both the Network A subnet and Network B.0.0/16 Local ID type Default local cert subject alt. we explained how to create centralized VPN hubs using extended subnetting. We set the following properties for this certificate: Parameter Description ID Type Host & Domain name ID Value tunnelc. Network A Configuration Create a new certificate for the new peer.1 Remote network 192. All settings are unchanged except: Parameter Description Local subnet 192.0/24 .168. and vice versa. Network C to the VPN network.com Common Name Advanced Firewall C Cert Organization My Company Ltd Modify the existing tunnel to Network B.0/16 Notice how this subnet mask now covers all subnets in the VPN.168. and export it as a PKCS#12 file.

0/24). On the Networking > Filtering > Zone bridging page. you should test by pinging a machine on the Network A end from both of the Network B and Network C networks. and then create the tunnel to Network A: Parameter Description Name Tunnel 2 Local ID type Default local cert subject alt.mycompany. you must create a zone bridge. After bringing up both tunnels. For more information.0.com Authenticate by Certificate presented by peer Creating a Zone Bridge In order for traffic to flow down the tunnel. name Remote IP or hostname 100. running SafeNet SoftRemote. Configuring Inter-Zone Security on page 59.168. If you want traffic to flow in both directions. In addition to being able to access the Network A local network (192. This road warrior will connect to the Network A gateway.168.0.com Authenticate by Certificate presented by peer Network B Configuration Modify the tunnel as follows: Parameter Description Remote subnet 192. make the rule bi-directional.0/16 Remote ID type Host & Domain name Remote ID value tunnela.0/16 Network C Configuration Import the certificate. create a zone bridge between the local network and the IPSec interface. 183 . see Chapter 6. Then you should test that you can route across Network A by pinging a host on the Network C network from the Network B network.Smoothwall Advanced Firewall Administrator’s Guide Parameter Description Remote ID type Host & Domain name Remote ID value tunnelc. Testing Test in the same way as before.168.0.1 Remote network 192.0.0. the road warrior will be able to access Network B and Network C as well. Example 4: IPSec Road Warrior Connection Now we will add a road warrior.mycompany.

0.You will also need the CA file.168. 184 . We will call this file computercert.5 Remote ID type Remote IP (or ANY if blank Remote IP) Authenticate by Certificate provided by peer Export the certificate in PKCS#12 format.168.Virtual Private Networking VPN Tutorials The road warrior is required to assume an internal IP on Network A’s local network.p12.168.5: Network A Configuration Create a certificate with the following properties: Parameter Description Common Name IPSec road warrior Organization My Company Ltd Note: No ID is required on this certificate.0/16 Local ID type Default local cert subject Client IP 192.0. in this case: 192.pem. ca. Now create the IPSec road warrior tunnel: Parameter Description Name IPSec road warrior Local network 192.0.

import the template policy.0. If you want traffic to flow in both directions.168. After a few retries. see Chapter 6. In the Security Policy Editor. For more information.1 Subnet 192. remember to save the Security Policy. Creating a Zone Bridge In order for traffic to flow down the tunnel.168. Configuring Inter-Zone Security on page 59.p12 certificate. and will save a lot of time configuring the client. The following fields need to be filled in after importing the policy template. a machine on the local network can connect to the road warrior.0. create a zone bridge between the local network and the IPSec interface. make the rule bidirectional. In road warrior: Parameter Description Gateway IP Address 100.spd. On the Networking > Filtering > Zone bridging page.255. begin by going to the Certificate Manager and importing the ca. including detailed screen shots. compression for example. are given in Working with SafeNet SoftRemote on page 187.Smoothwall Advanced Firewall Administrator’s Guide SoftRemote – Configuration This tutorial describes setting up the client using a policy template as a shortcut to getting the connection up and running. and so on.0. you should see the task bar icon change to show a yellow key. After installing the client. This indicates that the tunnel is up. which is on the installation CD. This policy file contains most of the input fields pre-filled with suitable defaults. then you will have to modify those settings.0 In My Identity: Parameter Description Internal Network IP Address 192. If you use different settings to those described in this tutorial. you should be able to connect to all three. the simplest way is to ping a host on the network behind the gateway. because the tunnel covers all three local networks. Testing To bring up the connection. This works both ways. Also. 185 .pem and the computercert. You should be able to browse web servers. policytemplate.5 After making the changes.0 Mask 255.0. Your client computer will then appear to be connected to the local network behind the VPN gateway.0. Full details. you must create a zone bridge.

Virtual Private Networking VPN Tutorials Example 5: L2TP Road Warrior This example consists of an additional road warrior client. For detailed instructions. We will call this file computercert. see Installing an L2TP Client on page 158. L2TP Client Configuration This tutorial only outlines the process of configuring an L2TP client. Network A Configuration Create a certificate with the following properties: Parameter Description Common Name L2TP road warrior Organization My Company Ltd Note: No ID is required on this certificate.p12. You will also need the CA file.168. 186 . this time running Microsoft Windows XP and using Microsoft’s L2TP road warrior client. Now create the L2TP road warrior tunnel: Parameter Description Name L2TP road warrior Authenticate by Certificate provided by peer Client IP 192.pem.0.6 Username road warrior Password microphone Export the certificate in PKCS#12 format. ca.

so create as many tunnel as there are road warriors. Such an IP address must be in a local network zone and currently unused. When connected. Then add the tunnel. When connected. This also means that other machines in the network can see the client.0. press the Connect button to initiate a connection the Advanced Firewall A VPN gateway. including VPN-connected ones. create a zone bridge between the local network and the L2TP interface. In TCP/IP properties. 100. It will be possible to route to other subnets. each road warrior gets an IP address in a specified local network zone. On the VPN > VPN > IPSec roadwarrior page. make the rule bi-directional. just as if it was plugged in directly. 187 . to all intents and purposes.Smoothwall Advanced Firewall Administrator’s Guide Begin by using the L2TPWizard to import the two certificates. Configuring Inter-Zone Security on page 59. you can choose to use the remote network as the default gateway for the L2TP client. although it does no harm to include one when creating the certificate.0. enabled by default. enter the username and password as configured on the Advanced Firewall A gateway: Parameter Description Username road warrior Password microphone Finally. Advanced settings. This includes the encryption settings. each road warrior client will. The IP address should be a previously unused address and unique to the road warrior. the only details that must be configured is the VPN gateway external address. Creating a Zone Bridge In order for traffic to flow down the tunnel. For more information. On the Networking > Filtering > Zone bridging page. or statically assigned machines such as servers. In the Connection dialog. Each road warrior user will need their own IP address. If you want traffic to flow in both directions. An ID type is not normally required. the Client IP field is used to input the particular local network IP address. This option. Note: The same advanced options are available as used when configuring IPSec Subnet VPNs. see Chapter 6. and overriding the default local certificate. be on the local network zone. you must create a zone bridge. Working with SafeNet SoftRemote The following sections are a configuration guide for connecting to the Advanced Firewall VPN gateway using SafeNet SoftRemote. is required if the client needs to be able to route to the Advanced Firewall B and Advanced Firewall C networks. you would choose a group of IP addresses outside of either the DHCP range. Configuring IPSec Road Warriors First. After bringing up the New Connection wizard. Each road warrior requires their own tunnel. create a signed certificate for the road warriors.1 in this example. Typically. Set the Local ID type to Default local cert Subject. This is because the L2TP client does not provide any facilities for setting up remote network masks. and set the Authenticate by setting to the certificate for this road warrior connection.

Specifically.spd. Mask and the gateway’s hostname (or IP address). saving you from the chore of doing it yourself. a single connection. create a connection in the Security Policy Editor. To make configuration of this client easier. you may use a Security Policy template. We also recommend that the LT versions of this software be used. import a CA . and a short time later the certificate should appear in the list.e. we will also describe how you would setup the client without the policy. named road warrior will become available. In the Root CA’s tab. 3 Next. 2 In the My Certificates tab. import a . 5 Assuming the Advanced Firewall gateway is using the standard settings for its road warrior clients. that will pre-fill most of the settings to suitable values. you should consider upgrading to at least version 9 because of known securityrelated problems with version 8. This indicates the certificate is valid. For completeness. 1 After installation.PEM from Advanced Firewall. which can be found in the extras folder on the installation CD. only a handful of settings must be entered. However.P1. Enter the export password. Open it. In the road warrior section: 6 Enter the Remote Subnet. 4 Import the Security Policy template. those described above. Check the log messages in the client to see if NAT-T mode is being used as expected. No extra configuration is required. You should get a message saying the certificate is valid (because the CA certificate is installed) but lacks a CRL (Certificate Revocation List). i. open the Certificate Manager. Configuration of Zone Alarm will not be covered in this manual. Older versions which support Virtual IP addresses should also inter-operate. After importing this policy. version 8 is known to work as well as version 9. and click Verify (on the right). NAT-T is handled automatically by this client. 188 . policytemplate. which do not incorporate Zone Alarm.Virtual Private Networking Working with SafeNet SoftRemote Using the Security Policy Template SoftRemote This documentation covers version both 9 and version 10 of this client. Select the certificate.

and close the Security Policy Editor. Before creating the connection. After a series of Request timed out messages you should start to get packets back. then you will have to modify those particular settings. Creating a Connection without the Policy File We will now describe how to setup the client without using the security policy template. configure the remote Subnet address and Mask. you must send it a packet.Smoothwall Advanced Firewall Administrator’s Guide 7 In the My Identity section. 10 To bring up the connection to the Advanced Firewall gateway. then you will have to enable it in the client. The easiest way to do this is by pinging a host on the remote network. you must activate a special feature within the client which allows you to specify a local network zone IP address for the client to take when it connects to the VPN gateway. like road warrior. Obviously. All other fields will be pre-filled.: 8 Enter the Internal Network IP Address. and you should tick the box marked Allow to specify internal network address.1. 189 . In this node. if you are using compression. 9 Save the settings. enter the Internal Network IP Address. 2 Now go back to the tree control on the left and choose the New Connection node. For instance. You can rename this to something more appropriate. 1 Select Global Policy Settings from the Options menu. indicating that the VPN is up (you will also notice the system tray icon change). A window will appear. if you are not using standard settings. as described in D.

This is 190 . You should then enter either a Gateway IP Address or Gateway Hostname. will suffice. the Distinguished Name.Virtual Private Networking Working with SafeNet SoftRemote 3 Choose Secure Gateway Tunnel from the Connect using drop-down list. and MD5 as the hashing algorithm. which defaults to 60 minutes (3600 seconds). 5 In the Internal network IP. 4 Next. another word for the subject of a certificate. 6 Create a new Phase 1 security policy: Select 3DES encryption. and select an ID Type of Any. The ID type’s default. move to the My Identity node. Select the certificate you imported earlier. Virtual adapter should be disabled. and Internet Interface set to Any. enter the local network zone IP address (the Client IP) that was specified when the tunnel was created. and choose a SA Life of 3000 seconds. Set the key group to 5. This time period has to be less then the equivalent setting in the Advanced Firewall.

This is done by adjusting the Local network parameter in the tunnel configuration. It is also possible to restrict (or extend) the hosts that the road warrior can access on the local network zone. Note that this setting is a network address. the selected certificate will be required by the client in order to obtain a connection.10/32. set the SA Life to 3000 seconds. then you could set the Local network parameter to 192. Advanced Configuration Using the configuration previously described. by initiating a connection to a host on the Remote Network. In this page you can select compression or not. 7 Finally create a Phase 2 security policy.168. in a tunnel. especially if the client certificates are not installed onto the VPN gateway server. This method is usually desired. If the VPN server the road warrior connects to is routed onto other networks such as subnet VPNs or other local network zones. if you wish to restrict the connected road warriors so that they can only contact a specific IP address. the Local network setting can likewise be expanded to cover them.2. as well as key life settings. even if that network mask covers only a single host. so you must always specify a network mask. Tick the ESP box.2. For example. Visit the support portal and knowledge base for information on setting up other clients. 8 Once again. Diagnostic logs are available through the tool bar icon.10. for example 192. and again 3DES and MD5.Smoothwall Advanced Firewall Administrator’s Guide necessary to ensure the tunnel is always re-keyed. but in other cases an Authenticate by setting of Certificate provided by peer can be more useful. 9 Test as before. 191 .168.

Virtual Private Networking Working with SafeNet SoftRemote 192 .

Chapter 10 Authentication and User Management In this chapter: • Configuring global authentication settings • Working with directory servers • Managing groups of users • Managing temporarily banned users • Viewing user activity • About SSL login • Managing Kerberos keytabs • Using WPA Enterprise Configuring Global Authentication Settings Configuring global authentication settings entails setting login timeout. the number of concurrent login sessions allowed and the type of authentication logging you require. 193 . To configure log-in and logging settings: 1 Navigate to the Services > Authentication > Settings page.

When the groups have been mapped. About Directory Servers The Advanced Firewall authentication service is designed to enable Advanced Firewall to connect to multiple directory servers in order to: • Retrieve groups configured in directories and apply network and web filtering permissions to users based on group membership within directories • Verify the identity of a user who is trying to access network or Internet resources. 194 . Tip: Encourage users to pro-actively log-out of the system to ensure that other users of their workstation cannot assume their privileges if login time-out is yet to occur. Concurrent login sessions (per user) Concurrent login settings determine how many logins are allowed per user.Authentication and User Management About Directory Servers 2 Configure the following settings: Setting Description Login timeout (minutes) Determines the length of time of inactivity after which a user is logged out. Normal – Select this option to log user login and LDAP server information. particularly when using transparent NTLM or SSL Login. Accept the default or enter the time out period. Note: Setting a short login timeout increases the load on the machine. For example. response and result information. It also increase the rate of re-authentication requests. see Appendix A. Verbose – Select this option to log user login and LDAP server information. the SSL Login refresh rate will update to ensure that authenticated users do not time-out. The following options are available: No limit – Select this option to allow an unlimited number of logins per user or enter the number of logins you want to allow users. Setting a long login timeout may enable unauthorized users to access the network if users leave computers without actively logging out. This option is useful when troubleshooting possible authentication issues. Once the connection to a directory service has been configured. request. About the Login Time-out on page 302. Advanced Firewall retrieves a list of the groups configured in the directory and maps them to the groups available in Advanced Firewall. For more information. The following options are available: Logging level Logging levels determine the type of authentication logging you want. permissions and network access permissions in the filtering and outgoing sections can be granted on the basis of group membership. The behavior of some authentication mechanisms is automatically adjusted by the time-out period. Advanced Firewall applies the changes. 3 Click Save changes.

Advanced Firewall and DNS on page 302. Local users A directory of Advanced Firewall local users. for more information. for more information. To delegate these permissions to a non-privileged user account. grant the full control. choose Delegate Control on the Computers container. see Configuring a RADIUS Connection on page 199. Configuring a Microsoft Active Directory Connection The following sections explain the prerequisites for Microsoft Active Directory and how to configure Advanced Firewall to work with Microsoft Active Directory. The account that you use needs permission to modify the Computers container. create a custom task to delegate and. see Configuring an Active Directory Connection – Legacy Method on page 200. choose or configure a non-privileged user account to use for joining the domain. check that the primary. • In Active Directory. Authentication on page 301. create and delete privileges.Smoothwall Advanced Firewall Administrator’s Guide For information on how authentication works and interacts with other systems. for more information. Currently. For more information. when backing-up and replicating settings. see Configuring an LDAP Connection on page 196 389 Directory RADIUS Remote Authentication Dial In User Service. Advanced Firewall supports the following directory servers: Directory Description Microsoft Active Directory Microsoft’s Active Directory. Novell eDirectory Apple/Open LDAP Various directories which support the LDAP protocol. For information on using the legacy method to connect to Active Directory. for more information. Note: We strongly recommend that you do not use an administrator account. 195 . see Appendix A. see Configuring a Microsoft Active Directory Connection on page 195. for Computer objects. This DNS server is used by Advanced Firewall for name lookups. see Configuring a Local Users Directory on page 203. see Appendix A. • Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized using NTP. Setting Time on page 269 for more information. Advanced Firewall stores this account’s credentials. for instance. Configuring Directories The following sections explain how to configure Advanced Firewall for use with supported directory servers. DNS server containing the Active Directory information is specified correctly. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: • On the Networking > Interfaces > Interfaces page. and optionally the secondary. See Chapter 13.

e. select Active Directory and configure the following settings: Setting Description Status Select Enabled to enable the connection. Managing Tenants on page 275. Apple/OpenLDAP Directory or 389 Directory and configure the following settings: 196 Setting Description Status Select Enabled to enable the connection. Password Enter the password for the user account. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. Tenants Optionally. click Add new directory. select which tenant(s) use this directory. Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Confirm Re-enter the password to confirm it. To configure an LDAP connection: 1 On the Services > Authentication > Directories page. Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. select one of the following: eDirectory. enter a comment about the directory. For more information on licensing. Other trusted domains will be accessible automatically. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache.Authentication and User Management Configuring Directories Configuring an Active Directory Connection The following section explains what is required to configure a connection to Active Directory. 2 In the Add new directory dialog box. contact your Smoothwall representative. . Username Enter the username of the user account. until the cache timeout has been passed. Click Add. click Add new directory. Advanced Firewall adds the directory to its list of directories and establishes the connection. Cache timeout (minutes) Click Advanced. i. For more information on tenants. 2 In the Add new directory dialog box. Apple/ OpenLDAP or 389 directory server. Comment 3 Optionally. see Chapter 13. Configuring an LDAP Connection The following section explains what is required to configure a connection to an eDirectory. Setting a long cache timeout means that old passwords are valid for longer. Note: Setting a short cache timeout increases the load on the directory server. To configure the connection: 1 On the Services > Authentication > Directories page. Domain Enter the full DNS domain name of the domain.

select one of the following options: TLS (with password) – Select to use Transport Layer Security (TLS). LDAP server Enter the directory’s IP address or hostname.o=organization For Apple Open Directory. A user part of the tree Organization and in the context Sales would have the LDAP notation: cn=user. Kerberos – Select to use Kerberos authentication. the LDAP username can be written as: uid=user. Password Enter the password of a valid account.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Tenants Optionally. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. Normally it should look something like this: cn=user.o=organization This is what is referred to in the Novell eDirectory as tree and context. Simple bind – Select to bind without encryption. For more information on licensing.dc=example. Use capital letters.dc=org Consult your directory documentation for more information. enter the Kerberos realm. Confirm Re-enter the password to confirm it. Note: If using Kerberos as the bind method. select which tenant(s) use this directory. Kerberos realm If using Kerberos. Bind method Accept the default bind method.ou=container. 197 . Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. This is frequently used by directory servers that do not require a password for authentication. Note: A password is not required if using simple bind as the bind method. Username Enter the username of a valid account in the LDAP notation format The format depends on the configuration of the LDAP directory. you must enter the hostname. see Chapter 13. or from the drop-down list. For more information on tenants. Managing Tenants on page 275. when not using Kerberos. contact your Smoothwall representative.cn=users.ou=sales.

this is the top level of the directory. For example: ou=myusers. a more specific group search root needs to be configured.dc=mydomain. Group search roots Enter where in the directory. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache.dc=local. so if there are more than 1000 groups in the directory. If there are multiple OUs containing groups that need to be mapped. if all users that need to be authenticated have been placed in an organizational unit.dc=example. Advanced Firewall should start looking for user accounts. Usually. taking the same form as the OpenLDAP-based directories o=myorganization.Authentication and User Management Configuring Directories Setting Description User search root Enter where in the directory. Enter one search root per line. Extra user search This option enables you to enter directory-specific user search paths when roots working with a large directory structure which contains multiple OUs and many users. this is seen in the directory as dc=mycompany. it may be a good idea to narrow down the user search root so Advanced Firewall does not have to look through the entire directory. Extra group search roots Optionally. Note: In larger directories. For example: ou=mygroups. Enter one search roots per line.dc=local Apple Open Directory uses the form: cn=groups.dc=org Note: With larger directories. add the other locations in the advanced section. Note: When working with multi domain environments.dc=org A Novell eDirectory will refer to this as the tree. OpenLDAP based directories will often use the form o=myorganization Apple Open Directory uses the form: cn=users. Cache timeout Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Usually this will be the same location as configured in the user search root field. Note: LDAPs (SSL) will be automatically used if you enter port number 636. The principle is the same as with the user search root setting. For example. the user search root can be narrowed down by adding ou=userunit in front of the domain base.dc=local In LDAP form. the user search root must be set to the top level domain.dc=example. LDAP port Accept the default or enter the LDAP port to use. For more information.dc=mydomain. Advanced Firewall should start looking for user groups. 198 . Some directories will not return more than 1000 results for a search. enter where in the directory Advanced Firewall should start looking for more user groups. see Appendix A. it may be necessary to narrow down the group search root. Working with Large Directories on page 303.

199 . Consult your RADIUS server documentation for more information. click Add new directory. Advanced Firewall adds the directory to its list of directories and establishes the connection.org kdc. Use the following format: <realm><space><kdc server> For example: example. select RADIUS and configure the following settings: Setting Description Status Select Enabled to enable the connection.example. Click Add. Configuring the Connection To configure the connection: 1 On the Services > Authentication > Directories page. 2 In the Add new directory dialog box. Prerequisites Before you configure any settings: • Configure the RADIUS server to accept queries from Advanced Firewall.org Enter one realm per line. Tenants Optionally. through DNS Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the directory server by querying the DNS server that holds the directory information. RADIUS server Enter the hostname or IP address of the RADIUS server. Confirm Re-enter the secret to confirm it. Configuring a RADIUS Connection You can configure Advanced Firewall to use a Remote Authentication Dial In User Service (RADIUS) as an authentication service. For more information on licensing.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Extra realms This setting enables you to configure subdomains manually using DNS. Secret Enter the secret shared with the server. Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. Managing Tenants on page 275. Only available if you have selected Kerberos as the authentication method. see Chapter 13. contact your Smoothwall representative. Discover Kerberos realms select this advanced option to use DNS to discover Kerberos realms. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. For more information on tenants. select which tenant(s) use this directory. Comment 3 Optionally. enter a comment about the directory.

This DNS server is used by Advanced Firewall for name lookups.Authentication and User Management Configuring Directories Setting Description Action on login failure Try next directory server – Select this option if users in RADIUS are unrelated to users in any other directory server. The following sections explain the prerequisites for Microsoft Active Directory and how to use the legacy method to configure Advanced Firewall to work with Microsoft Active Directory. Click Add. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache. select this option to enable Advanced Firewall to use the group information in the RADIUS Filter-Id attribute. 200 . see Configuring a Microsoft Active Directory Connection on page 195 for more information. For more information. When not enabled. Identifying IP address Enter the IP address to use to identify the caller connecting to the RADIUS server. Configuring an Active Directory Connection – Legacy Method Note: This is the legacy method of configuring an Active Directory connection. we recommend that you use the latest method. if it must be different to the internal IP address of the system. For a simpler method. The default is port 1812. If there are no other directories in the list. Advanced Firewall will place all users in the Default Users group. enter a comment about the directory. Obtain groups from RADIUS If the RADIUS server can provide group information. see Appendix A. 3 Port Accept the default port or specify a UDP port to use when communicating with the RADIUS server. • Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized. Note: Do not use the administrator account as the lookup user. Prerequisites for Active Directory Before you configure any settings for use with Active Directory: • Run the Advanced Firewall Setup program and check that the DNS server containing the Active Directory information is specified correctly. Deny access – Select this option if the RADIUS password should override the password set in another directory server. Comment Optionally. Often the administrator account will not have a Windows 2000 username. Cache timeout (minutes) Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall adds the directory to its list of directories and establishes the connection. preventing the account from being used by the authentication service. for example when using an authentication token. • Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active Directory servers. Advanced Firewall and DNS on page 302 and the Advanced Firewall Installation and Setup Guide. Advanced Firewall will use group information from the next directory server in the list.

e. See also. Active Directory on page 303. 201 . from the Directory server drop-down list. Tenants Optionally. see Appendix A. Setting a long cache timeout means that old passwords are valid for longer. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache. Advanced Firewall displays the settings for Active Directory. For more information on tenants. The domain will be added automatically by Advanced Firewall. Often. contact your Smoothwall representative. Cache timeout (minutes) Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. In a multi domain environment. Appendix A. Note: For Microsoft Active Directory. select Active Directory and click Next. the username must be a user in the top level domain. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. To configure the connection: 1 Navigate to the Services > Authentication > Directories page. Active Directory server Enter the directory server’s full hostname. Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. Refer to the Microsoft DNS server help if you need assistance in setting up a reverse lookup zone. i. 2 In the Add directory server area. select which tenant(s) use this directory. Note: Setting a short cache timeout increases the load on the directory server. Advanced Firewall requires DNS servers that can resolve the Active Directory server hostnames.Smoothwall Advanced Firewall Administrator’s Guide Configuring an Active Directory Connection Configuring an Active Directory connection entails specifying server details and optionally the Kerberos realm to use. see Chapter 13. Enter the username without the domain. Username Enter the username of a valid account. Advanced Firewall and DNS on page 302 for more information. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the Active Directory servers for a successful lookup to be able to take place. search roots and any advanced settings required. these will be the same servers that hold the Active Directory. select Automatic or enter the Kerberos realm. Password Enter the password of a valid account. Confirm Re-enter the password to confirm it. Kerberos realm Optionally. 3 Configure the following settings: Setting Description Status Select Enabled to enable the connection. Managing Tenants on page 275. For more information on licensing. until the cache timeout has been passed. For more information.

click Advanced to access and configure the following settings: Setting Description LDAP port Accept the default. for example: ou=mygroups. Select Automatic or enter the NetBIOS domain name to use when joining the workgroup. Note: When working with multi-domain environments. Working with Large Directories on page 303. enter a comment about the directory server and the settings used. to configure Advanced Firewall to start looking for user accounts at the top level of the directory. NetBIOS workgroup This setting applies when using NTLM authentication with Guardian. Enabled Select this option to enable the connection to the directory server.dc=local search root. see Appendix A. Use This setting applies when using Microsoft Windows NT4 or older sAMAccountName installations. For more information. Discover Kerberos Select this option to use DNS to discover Kerberos realms.Authentication and User Management Configuring Directories Setting Description User search root Optionally. select Automatic. 202 . Extra user search roots This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. to configure Advanced Firewall to start looking for user groups at the top level of the directory.dc=mydomain. Enter search roots one per line. Or enter the user search root to start looking in. so if there are more than 1 000 groups in the directory. Extra group search Optionally. Advanced Firewall should start roots looking for more user groups. or enter the LDAP port to use. select Automatic. enter where in the directory. a more specific group search root needs to be configured. for example: ou=myusers. Enter search roots one per line. Enter the sAMAccountName to override the userPrincipleName. Or enter the group search root to start looking in. also known as NetBIOS domain name or preWindows 2000 domain name.dc=local Note: Some directories will not return more than 1 000 results for a search.dc=mydomain. 4 Comment Optionally. realms through Using DNS to discover realms configures Advanced Firewall to try to find all DNS the domains in the directory server by querying the DNS server that holds the directory information. is not the same as the Active Directory domain. Optionally. the user search root must be set to the top level domain. Advanced Firewall cannot join domains required for NTLM authentication where the workgroup. Group search root Optionally.

select the directory server you want to move and click Up or Down until the server is where you want it. If user passwords are checked by a RADIUS server and group information is obtained from LDAP. enter a comment about the directory. select Local users and configure the following settings: Setting Description Status Select Enabled to enable the connection.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Extra realms This setting enables you to configure subdomains manually. 3 Name Accept the default name or enter a new name. 3 Click Save moves. select which tenant(s) use this directory. Tenants Optionally.org Enter one realm per line. using DNS. contact your Smoothwall representative. click Add new directory. passwords and group membership in local user directories so as to provide a standalone authentication service for network users. Advanced Firewall adds the directory to its list of directories. Advanced Firewall applies the changes. For more information on licensing. Click Add. list the RADIUS server first. see Chapter 13. Use the following format: <realm><space><kdc server> For example: example. For more information on tenants. 203 . Configuring a Local Users Directory Advanced Firewall stores user account information comprised of usernames. see Managing Local Users on page 204. Comment Optionally. 2 Repeat the step above for any other directories you want to move. list that directory first so as to reduce the number of queries required. as opposed to automatically. Reordering Directory Servers Tip: If most of your users are in one directory.org kdc. To reorder directory servers: 1 On the Services > Authentication > Directories page. 5 Click Add. Note: Tenants are only available if you have the correct Advanced Firewall license type and they have been configured on the System > Administration > Tenants page. 2 In the Add new directory dialog box. Advanced Firewall adds the directory to its list of directories and establishes the connection. Managing Tenants on page 275.example. To configure a local users directory: 1 On the Services > Authentication > Directories page. Specifying the tenant(s) enables Advanced Firewall to apply network permissions to users coming from different tenants with usernames which are the same. For information on adding and managing local users.

Advanced Firewall displays current directory connection. Just remember to click Save moves.Authentication and User Management Managing Local Users Tip: You can also drag and drop directories to where you want them. point to the directory server and click Edit. Select the directories and click Diagnose. Diagnosing Directories It is possible to review a directory’s status and run diagnostic tests on it. . In the Add new user dialog box. Advanced Firewall deletes the server. Deleting a Directory Server To delete a directory server: 1 On the Services > Authentication > Directories page. When prompted. user account and status information. Username Enter the user account name. Editing a Directory Server To edit a directory server: 1 On the Services > Authentication > Directories page. To diagnose a directory: 1 On the Services > Authentication > Directories page. see Configuring Directories on page 195 for information on the settings available. configure the following settings: 204 Setting Description Enabled Select to enable the user account. 3 Click Save changes. Tip: You can diagnose multiple directories at the same time. point to the directory server and click Delete. Passwords must be a minimum of six characters long. Adding Users To add a user to a local user directory: 1 On the Services > Authentication > Directories page. point to the directory server and click Diagnose. Managing Local Users Advanced Firewall stores user account information comprised of usernames. confirm that you want to delete the directory. passwords and group membership in local user directories so as to provide a standalone authentication service for network users. Advanced Firewall displays any current local users 2 Click Add new user. Advanced Firewall applies the changes. click on the local user directory you want to add a user to. 2 Make the changes required. The Edit directory dialog box opens. Password Enter the password associated with the user account.

205 . 2 Point to the user account and click Edit. 3 Click Save changes. select the Advanced Firewall group you want to map the directory service group(s) to. In the Add new group mapping dialog box. click on the local user directory containing the user account(s) you want to delete. select the directory group(s) you want to map. you can map the groups Advanced Firewall retrieves from the directory in order to apply permissions and restrictions to the users in the groups. click on the local user directory containing the user account you want to edit. Advanced Firewall applies the changes. make the changes required. To map directory groups to Advanced Firewall groups: 1 On the Services > Authentication > Directories page. See Adding Users on page 204 for more information on the settings available. configure the following settings: Setting Description Directory service From the drop-down list. 4 Repeat the steps above to add more users. 3 Local group From the drop-down list. Mapping Groups Once you have successfully configured a connection to a directory. select a group to assign the user account to. confirm that you want to delete the account. 2 Click Add new group mapping. Advanced Firewall creates the mapping. In the Edit user dialog box. Advanced Firewall displays any current group mappings. Editing Local Users To edit an existing user's details: 1 On the Services > Authentication > Directories page. 3 Repeat the steps above to delete other accounts. click on the directory that contains the group you want to map. Deleting Users To delete users: 1 On the Services > Authentication > Directories page. Enabled Select to enable the mapping.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Repeat password Re-enter the password to confirm it. Click Add. 3 Click Add. When prompted. Advanced Firewall displays current local users. Advanced Firewall displays current local users. Select group From the drop-down menu. Advanced Firewall deletes the account. group Tip: You can filter the groups shown by entering parts of group names in this field. 2 Point to the user account and click Delete. Advanced Firewall saves the information.

Advanced Firewall displays the current group mappings. Managing Temporarily Banned Users Advanced Firewall enables you to temporarily ban specific user accounts. Creating a Temporary Ban Note: Only administrators and accounts with Temp ban access can manage banned accounts. For more information. confirm the deletion by clicking Delete Advanced Firewall deletes the mapping(s). Advanced Firewall displays the current group mappings. To ban an account temporarily: 1 206 Navigate to the Services > Authentication > Temporary bans page. Deleting Group Mappings It is possible to delete group mappings. Note: You can apply any web filtering policy to the Banned users group. When temporarily banned. . the user is added to the Banned users group. click on the directory that contains the group you want to remap. When prompted. 3 Click Save changes. click on the directory that contains the mapping(s) you want to delete. Advanced Firewall remaps the group(s).Authentication and User Management Managing Temporarily Banned Users Remapping Groups It is possible to change group mappings. remap the group(s) as required. 2 Point to the group and click Edit. see Chapter 13. In the Edit group mapping dialog box. To remap groups: 1 On the Services > Authentication > Directories page. 2 Select the mapping(s) and click Delete. To delete one or more group mappings: 1 On the Services > Authentication > Directories page. See Mapping Groups on page 205 for more information on the settings available. Administrative User Settings on page 274.

2 In the Current rules area. configure the following settings: Setting Description Status Select Enabled to enable the ban immediately. Managing Block Pages on page 101 for more information. 3 Click Add. Removing Expired Bans To remove bans which have expired: 1 Navigate to the Services > Authentication > Temporary bans page. 2 In the Current rules area. Removing Temporary Bans To remove a ban: 1 Navigate to the Services > Authentication > Temporary bans page. 207 . Ban expires Click and select when the ban expires. select the ban and click Remove. See Chapter 7. Advanced Firewall enforces the ban immediately. Advanced Firewall removes all bans which have expired. Username Enter the user name of the account you want to ban. enter a comment explaining why the account has been banned. Advanced Firewall removes the ban. see Managing User Activity on page 208. Comment Optionally.Smoothwall Advanced Firewall Administrator’s Guide 2 Click Add new temporary ban. for more information. Tip: You can edit the block page displayed to banned users so that it gives them information on the ban in force. click Remove all expired. Tip: There is also a ban option on the Services > Authentication > User activity page. In the Add new temporary ban dialog box.

Advanced Firewall logs the user out immediately and lists them as logged out. Logging Users Out To log a user out: 1 On the Services > Authentication > User activity page. Viewing User Activity To view activity: 1 Navigate to the Services > Authentication > User activity page. Note: Logging a user out is not the same as blocking a user from accessing web content. Advanced Firewall displays who is logged in. . Recently logged out users are listed for 15 minutes. Advanced Firewall copies the user’s information and displays it on the Services > Authentication > Temporary bans page where you can configure the ban. they will be prompted to authenticate again. see Creating a Temporary Ban on page 206. If the user is using SSL login. For more information.Authentication and User Management Managing User Activity Managing User Activity Advanced Firewall enables you to see who is logged in and who has recently logged out. point to the user you want to ban and click Ban user. You can also log users out and/or ban them. Connectionbased authentication will automatically log the user back in. the group(s) the user belongs to their source IP and the method of user authentication. Banning Users To ban a user: 1 208 On the Services > Authentication > User activity page. point to the user you want to log out and click Log user out. who recently logged out.

SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated user. Customizing the Title Image It is possible to customize the title image displayed on the SSL login page. Advanced Firewall uploads the file and makes it available on the SSL login page. 3 Click Save changes. group bridging. or where only a small subset of users require authentication. the rule is removed and future outbound requests on port 80 will again cause automatic redirection to the SSL Login. To upload a custom title image: 1 Browse to the Services > Authentication > SSL login page. When SSL Login is configured. Using your browser’s controls. and prompted for their user credentials. When an authenticated user logs out or exceeds the time-out limit. per-user basis. network users requesting port 80 for outbound web access will be automatically redirected to a secure login page. for example. the SSL Login page. 209 . locate and select the file. typically where they need to use a non-web authentication-enabled service. it is possible to customize the title image. The SSL Login page can be manually accessed by users wishing to pro-actively authenticate themselves. Customizing the SSL Login Page When using SSL as an authentication method.Smoothwall Advanced Firewall Administrator’s Guide About SSL Authentication Advanced Firewall provides SSL Login as a built-in authentication mechanism which can be used by authentication-enabled services to apply permissions and restrictions on a customized. thus allowing SSL Login redirection to be bypassed for authenticated users. 2 Click the Title image Browse/Select file button. background image and message displayed on an SSL login page.

https:// 192. 2 To remove the title image.168. using HTTPS. Removing Custom Files To remove a custom file: 1 Browse to the Services > Authentication > SSL login page. Reviewing SSL Login Pages You can review SSL Login pages. To upload a background image: 1 On the Services > Authentication > SSL login page.141/login or. Advanced Firewall displays the SSL login page. For example: http://192. click Delete. To customize the login message: 1 Navigate to the Services > Authentication > SSL login page. 3 Click Save changes to apply the new message. Using your browser’s controls.Authentication and User Management About SSL Authentication Customizing the Background Image It is possible to customize the background image used on an SSL login page. To review the SSL Login page: 1 210 In the web browser of your choice. enter your custom message in the SSL login page text box. 3 To remove the background image. Advanced Firewall uploads the file and makes it available on the SSL login page. click the Background image Browse/Select file button. locate and select the file. click Delete.168. enter your Advanced Firewall system’s IP address and /login. 2 Click Save changes. 2 In the Customize SSL Login area.141:442/login.72. . adjacent to Title image. adjacent to Background image.72. Customizing the Message It is possible to provide users with a customized message.

2 In the SSL login redirection area. To create an SSL login exception: 1 Browse to the Services > Authentication > SSL login page. enter an IP address. To configure SSL Login: 1 Navigate to the Services > Authentication > SSL login page. For more information on web proxy authentication policies. If you add Guardian3 to an Advanced Firewall installation which already has SSL login configured. 2 Locate the SSL login redirection area. ranges of hosts or subnets from being automatically redirected to the SSL Login page. ensure that SSL Login redirection is not enabled both on interface(s) on this page and in a web proxy authentication policy. Creating SSL Login Exceptions SSL Login exceptions can be created in order to prevent certain hosts. Tip: This option is useful when avoiding requiring servers to authenticate. see the Guardian3 Administrator’s Guide. select each interface on which you want to activate SSL Login. Advanced Firewall enables SSL Login on the selected interfaces. 3 Repeat the step above on a new line for each further exception you want to make. 211 . 3 Click Save changes. SSL Login authentication is configured on a per-interface basis. 4 Click Save changes. In the Redirect exception addresses field. the SSL login redirection section will not be available. IP range or subnet that should not be redirected to the SSL Login.Smoothwall Advanced Firewall Administrator’s Guide Configuring SSL Login Note: If you add Guardian3 to an Advanced Firewall installation which does not have SSL login configured.

4 Repeat the steps above for any other keytabs you need to import. Adding Keytabs The following section explains how to add Kerberos keytabs into Advanced Firewall. see the following section for information on how to do this. A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. Comment Optionally. available at the time of writing. Advanced Firewall services. locate and select the keytab. enter a comment to describe the keytab. it is necessary to import keytabs manually.com/en-us/library/ cc753771%28v=WS. can use the interoperability features provided by Kerberos. 3 Click Add. Creating Authentication Policies on page 67. such as authentication. File Using your browser. 212 . consult the documentation delivered with your directory server.Authentication and User Management Managing Kerberos Keytabs Managing Kerberos Keytabs Note: When using Microsoft Active Directory for authentication. Kerberos keys are managed automatically. For other directory servers.microsoft. 2 Click Add new keytab and configure the following settings: Setting Description Status Accept the default setting to enable the keytab. see http://technet.aspx which discusses how to get a keytab from Active Directory. To add a keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page. For information on generating keytabs. Also. For information on using Kerberos as the authentication method in authentication policies. Name Enter a descriptive name for the keytab.10%29. Advanced Firewall adds the keytab and lists it in the Kerberos keytabs area. By importing and using Kerberos keytabs. see Chapter 6.

Advanced Firewall disables the keytab. 3 In the Edit keytab dialog box. change the name as required and click Save changes. Click Save changes to save the setting. for example. you can configure your wireless network infrastructure to authenticate users using the RADIUS server so that users can use their Active Directory accounts as wireless client login details. Advanced Firewall changes the name and lists the Kerberos keytab in the Installed Kerberos keytabs area Deleting Keytabs It is possible to delete Kerberos keytabs that are no longer require. Viewing Keytab Content It is possible to view the contents of a Kerberos keytab. To change the name of the Kerberos keytab file: 1 Browse to the Services > Authentication > Kerberos keytabs page. It is possible to disable a Kerberos keytab when required. Advanced Firewall links your organization's Active Directory domain to a RADIUS server.Smoothwall Advanced Firewall Administrator’s Guide Managing Keytabs The following sections explain how to enable. As a network administrator. 2 In the Installed Kerberos keytabs area. edit and delete Kerberos keytabs. 3 In the Edit keytab dialog box. 2 In the Installed Kerberos keytabs area. clear the Enabled option. 3 When prompted to confirm the deletion. click Delete. Editing Keytabs It is possible to change the name of the Kerberos keytab file. Using WPA Enterprise Advanced Firewall’s use of WPA Enterprise enables users to connect their own wireless devices to the network (known as ‘bring your own device’ or BYOD) and run applications with authentication that is unobtrusive. Advanced Firewall displays the content. point to the keytab and select Edit. To delete a Kerberos keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page. Disabling Keytabs Kerberos keytabs are enabled by default. Advanced Firewall deletes the keytab. To disable a keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page. 2 In the Installed Kerberos keytabs area. when troubleshooting. 3 In the Edit keytab dialog box. point to the keytab and select Edit. view. Configuring WPA Enterprise comprises: 213 . point to the keytab and select Delete. point to the keytab and select Edit. click the keytab’s display arrow. To view a Kerberos keytab: 1 Browse to the Services > Authentication > Kerberos keytabs page. 2 In the Installed Kerberos keytabs area.

nor is the legacy Active Directory authentication method. For more information. Configuring Access Points Note: Consult the documentation delivered with your wireless access point for complete information on how to configure it in detail. see Provisioning the Advanced Firewall Certificate on page 215 Pre-requisites • On Advanced Firewall. but there must be no routers between them. To configure a wireless access point: 1 Log on to the wireless access point. You will need this when configuring WPA Enterprise on Advanced Firewall. Advanced Firewall must be the DHCP server for that subnet • Users’ wireless devices must support WPA Enterprise with PEAP and MSCHAPv2 • For users to whom a web filtering policy applies. 214 . manually making the Advanced Firewall CA certificate available to devices which cannot accept it when users authenticate to the wireless network. WPA2RADIUS or WPA2 with a separate option for RADIUS. Creating Authentication Policies on page 67 • Advanced Firewall’s Active Directory authentication method must be used to authenticate users. For more information. For more information. see Configuring a Microsoft Active Directory Connection on page x Note: Local users are not supported. For more information on DHCP. see Chapter 8. To support older hardware. 2 Create or modify a wireless network to use WPA2 with 802. For more information. see Configuring WPA Enterprise on page 215 • In some cases. 3 Make a note of the shared secret for the wireless network. the wireless network type may be referred to as: WPA2-Enterprise. For more information.1X. DHCP on page 119 • Wireless access points must be on the same subnet as Advanced Firewall. WPA version 1 is also supported. Some wireless access points support WPA/WPA2 simultaneously. 4 Set Advanced Firewall as the RADIUS server for both authentication and accounting. DHCP must be enabled and there must be a valid DHCP subnet configured. For more information. Some wireless access points require two separate settings for this.Authentication and User Management Using WPA Enterprise • Checking that your network is configured as required. Note: On the access point. see Configuring Access Points on page 214 • Configuring Advanced Firewall to use WPA Enterprise. see Pre-requisites on page 214 • Setting up wireless access points to use Advanced Firewall as a RADIUS server. Guardian must be configured to use core authentication. WPA2 is most secure. Switches are allowed. see Chapter 6.

will be prompted to authenticate. Users who now try to access the wireless network. for devices which do not automatically accept the Advanced Firewall certificate. 215 . Comment Optionally. For those devices. Shared secret Enter the secret that secures RADIUS communication between the access point and Advanced Firewall. Click Add. Advanced Firewall applies the settings and lists the access point. Note: See Provisioning the Advanced Firewall Certificate on page 215. IP address Enter the IP address of the access point. 2 Save the certificate in a secure location and consult the documentation provided with the device(s) as to how best install it on the device(s). you can download the Advanced Firewall certificate to make it available in a way supported by the devices.n the Add new access point dialog box. click Download CA certificate. 2 Click Add new access point. Provisioning the Advanced Firewall Certificate Some devices may not automatically accept the Advanced Firewall certificate when users try to authenticate themselves to the wireless network. configure the following setting: 3 Setting Description Status Select Enabled to enable the access point.Smoothwall Advanced Firewall Administrator’s Guide Configuring WPA Enterprise To configure WPA Enterprise: 1 Browse to the Services > Authentication > WPA Enterprise page. To provision the certificate: 1 On the Services > Authentication > WPA Enterprise page. Confirm Re-enter the shared secret to confirm it. enter a comment to describe the access point. Name Enter a name for the access point.

Authentication and User Management
Managing Groups of Users

Managing Groups of Users
The following sections discuss groups of users and how to manage them.

About Groups
Advanced Firewall uses the concept of groups to provide a means of organizing and managing
similar user accounts. Authentication-enabled services can associate permissions and restrictions to
each group of user accounts, thus enabling them to dynamically apply rules on a per-user account
basis.
Local users can be added or imported to a particular group, with each group being organized to
mirror an organization’s structure. Groups can be renamed by administrators to describe the users
that they contain.
Currently, Advanced Firewall supports 1000 groups and by default, contains the following groups:
Group

Description

Unauthenticated IPs

The main purpose of this group is to allow certain authenticationenabled services to define permissions and restrictions for
unauthenticated users, i.e. users that are not logged in, currently
unauthenticated or cannot be authenticated.
Note: This group cannot be renamed or deleted.

Default Users

Users can be mapped to Default Users. The main purpose of this group
is to allow certain authentication-enabled services to define permissions
and restrictions for users that are not specifically mapped to an
Advanced Firewall group, i.e. users that can be authenticated, but who
are not mapped to a specific Advanced Firewall authentication group.
Note: This group cannot be renamed or deleted.

Banned Users

This purpose of this group is to contain users who are banned from
using an authentication-enabled service.
Note: This group cannot be renamed or deleted.

Network
Administrators

This group is a normal user group, configured with a preset name, and
setup for the purpose of granting network administrators access to an
authentication-enabled service.
Because the Network Administrators group is a normal group with a
preset configuration, it can be both renamed and used by
authentication-enabled services to enforce any kind of permissions or
restrictions.

Adding Groups
It is possible to add groups to Advanced Firewall. Currently, Advanced Firewall supports 1000
groups.
To add a group:
1

On the Services > Authentication > Groups page, click Add new group.

2

In the Add new group dialog box, enter the following information:

216

Field

Description

Name

Enter a name for the group.

Comment

Optionally, enter a comment.

Smoothwall Advanced Firewall
Administrator’s Guide
3

Click Add. Advanced Firewall creates the group and lists on the changes.

Editing Groups
Note: It is not possible to rename the Unauthenticated IPs, Default Users or Banned Users groups
To edit a group:
1

On the Services > Authentication > Groups page, point to the group and click Edit.

2

In the Edit group dialog box, enter the following information:

3

Field

Description

Name

When renaming a group, enter a new name.

Comment

Edit or enter a new comment.

Click Save changes. Advanced Firewall applies the changes.

Deleting Groups
Note: It is not possible to delete the Unauthenticated IPs, Default Users or Banned Users groups
To delete a group or groups:
1

On the Services > Authentication > Groups page, select the group(s) and click Delete.

2

When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the group(s).

217

Authentication and User Management
Managing Groups of Users

218

Chapter 11

Reporting
In this chapter:

About the Summary page

Working with Advanced Firewall reports

Managing datastore/log retention settings.

About the Summary Page
The summary page displays a customizable list of reports.
To access the summary page:
1

Navigate to the Logs and reports > Reports > Summary page.

Note: The information displayed depends on the product series you are using.
A list of the reports generated by default is displayed. For information on customizing the reports
displayed, see Chapter 13, Configuring the User Interface on page 268.

Accessing Reporting
Advanced Firewall can produce many types of reports which provide information on almost every
aspect of Advanced Firewall.
To access reporting:
1

Navigate to the Logs and reports > Reports > Reports page.

219

Reporting
Generating Reports

Generating Reports
Advanced Firewall contains a broad range of reports which can be generated immediately.
To generate a report:
1

Navigate to the Logs and reports > Reports > Reports page and click on a folder containing the
report you want to generate.

2

Click on the report to access its options. Advanced Firewall displays the options available.

Tip:

Click Advanced to see a description of the report, access advanced options and portal publication
permissions. For more information on publishing reports, see Chapter 8, Making Reports Available
on page 83.

3

If applicable, set the time interval for the report and enter/select any option(s) you require.

4

Click Run report to generate the report. Advanced Firewall displays the report.

Canceling a Report
It is possible to a cancel a report if it is taking a long time to generate.
To cancel a report:
1

Generate the report, see Generating Reports on page 220.

2

When the report progress bar is displayed, click Cancel. Advanced Firewall cancels the report.

Saving Reports
If you want permanent access to a report, you must save it.
To save a report:
1

Generate the report, see Generating Reports on page 220.

2

In the Save as field, enter a name for the report and click Save. You can access the report on the
Logs and reports > Reports > Recent and saved page.

About Recent and Saved Reports
You can access all reports generated in the last three days on the Logs and reports > Reports >
Recent and saved page.
You can also save recently generated reports and change report formats on this page.

Changing Report Formats
Advanced Firewall enables you to change reports viewed and/or saved in one format to another.

220

Smoothwall Advanced Firewall
Administrator’s Guide
To change a report format:
1

Navigate to the Logs and reports > Reports > Recent and saved page.

2

Locate the report you want to change and click on the format you want to change the report to. The
following formats are available:
Format

Description

csv

The report will be generated in comma separated text format.

excel

The report will be generated in Microsoft Excel format.

pdf

The report will be generated in Adobe’s portable document format.

pdfbw

The report will be generated in black and white in Adobe’s portable document format.

tsv

The report will be generated in tab separated text (tsv) format.

Managing Reports and Folders
The following sections explain how to create, delete and navigate reports and folders in Advanced
Firewall.

Creating Folders
You can create a folder to contain reports on the Logs and reports > Reports > Reports page or in
a folder or sub-folder contained on the page.
To create a folder:
1

On the Logs and reports > Reports > Reports page, determine where you want to create the
folder, on the page or in an existing folder.

2

Click the Create a new folder button. Advanced Firewall creates the folder.

3

Enter a name for the folder and click Rename.

Deleting Folders
To delete a folder:
1

On the Logs and reports > Reports > Reports page, locate the folder.

2

Click the Delete button. Advanced Firewall deletes the folder.

Note: You cannot delete a folder which contains reports. Delete the report(s) in the folder first, then delete
the folder.

221

Reporting
Generating Reports

Deleting Reports
To delete a report:
1

Navigate to the Logs and reports > Reports > Recent and saved page.

2

Locate the report and click the Delete button.

Report Permissions
Advanced Firewall enables you to publish reports on a portal. For more information, see Chapter 8,
Making Reports Available on page 83.

Making Reports Available on Portals
You can make reports generated on one portal available on other portals.
To make the report available:
1

Navigate to the Logs and reports > Reports > Reports page and locate the report you want to
publish to portals.

2

On the Permissions tab, click Automatic Access.

3

In the Automatic Access area, from the Add access drop-down list. select the portal you want to
publish the generated report on and click Add.

4

Click Close to close the dialog box. Advanced Firewall publishes the report to the portal.

222

223 . Weekly Repeat – The report will be generated and delivered at the specified time. starting on the specified date. starting on the specified date. 2 Configure the following settings: Setting Description Start date Select the month and day on which to create and deliver the report. enter the date on which the first report should be created and delivered. Repeat Scheduled reports can be generated and delivered more than once. To schedule a report: 1 Navigate to the Logs and reports > Reports > Scheduled page. Enabled Select to enable the scheduled report. starting on the specified date. Comment Optionally. Weekday Repeat – The report will be generated and delivered at the specified time. Daily Repeat – The report will be generated and delivered once a day at the specified time starting on the specified date.Smoothwall Advanced Firewall Administrator’s Guide Scheduling Reports Advanced Firewall can generate and deliver reports to specified user groups at specified intervals. Select from the following options: No Repeat – The report will be generated and delivered once on the specified date at the specified time. If the report is to be repeated. Monthly Repeat – The report will be generated and delivered at the specified time. Time Select the hour and minute at which to deliver the report. enter a description of the scheduled report. Monday to Friday. once a week. once a month.

select the group you want to deliver the report to. select how long to collate data for this report. from the drop-down menu.Reporting Managing Log Retention Setting Description Report From the drop-down list. The report will be available on the Logs and reports > Reports > Recent and saved page. To manage log retention: 1 224 Navigate to the Logs and reports > Settings > Datastore settings page. Report name Enter a name for the scheduled report. Managing Log Retention You can configure Advanced Firewall to retain logs for use in reporting and network troubleshooting. For more information. Report shows period From the drop-down list. Click Add. see Chapter 12. select the report. Configuring Groups on page 254. 3 Email report Select this option if you want to email the report to a group of users. Publish from portal Optionally. Save report Select this option if you want to save the scheduled report after it has been generated. . Group From the drop-down list. select a portal to publish the report from. Advanced Firewall schedules the report and lists it in the Scheduled reports area.

because of a lack of storage space.Smoothwall Advanced Firewall Administrator’s Guide 2 Configure the following settings: Setting Description Retention settings Use the slider’s start and end points to specify the minimum and maximum number of months Advanced Firewall should retain log files. 3 Click Save changes to save the datastore settings. Advanced Firewall will always keep log files for 3 months and. 225 . Maximum – The maximum number of months possible is infinite. Advanced Firewall will stop working and display a warning. if the minimum retention period is set to 3 months and the maximum retention period is set to 6 months. If a log file is older than the maximum retention period specified. will keep them for 6 months. Minimum – The minimum number of months possible is 0. it will be deleted. the minimum log retention is not possible. Advanced Firewall will stop working and display a warning. the minimum log retention is not possible. Note: If. it may be deleted if the available storage space starts to run out. because of a lack of disk space. Note: If. For example. if there is available storage space. If a log file is older than the minimum retention period specified.

Reporting Managing Log Retention 226 .

It also displays acknowledgements. The dashboard displays service information. particularly those relating to critical failures. external connectivity controls and a number of summary reports. the second denotes the occurrence of an incident. Alerts and Logging In this chapter: • About the dashboard. UPS and power supply alerts. a sustained high level of traffic over a five minute period. for example. About the About Page The About page displays product. an administrator login failure. Alerts Advanced Firewall contains a comprehensive set of incident alerting controls. It is possible to specify two trigger conditions for some alerts – the first acts as a warning alert. Trigger conditions can be individual events. copyright and trademark information. Overview Alerts are generated when certain trigger conditions are met. or a series of events occurring over a particular time period. analyzing and configuring alerts. Some alerts allow their trigger conditions to be edited to customize the alert sensitivity. for example. and. in more critical circumstances. To access the dashboard: 1 Browse to Dashboard. Some situations are constantly monitored. To access the About page: 1 Browse to the bottom of the page you are on and click About. 227 . registration. realtime information and log files. for example. registration and initial setup pages • Viewing.Chapter 12 Information. About the Dashboard The dashboard is the default home page of your Advanced Firewall system.

Monitoring is constant. or disconnected. Monitored once every five minutes. starts or stops. Email Virus Monitor These alerts are triggered by detection of malware being relayed via SMTP or downloaded via POP3. . Monitored once every five minutes. Alerts and Logging Alerts Available Alerts You access the alerts and their settings on the Logs and reports > Alerts > Alerts page. License expiry status warnings Generates messages when the license is due for renewal or has expired. Monitored once an hour. or disconnected. UPS. Constant monitoring. Constant Monitoring. L2TP VPN Tunnel Status L2TP Tunnel status notifications occur when an L2TP (Layer 2 Tunnelling Protocol) Tunnel is either connected. Monitored once every five minutes. harddisk failure Generates messages when hardware problems are detected. Constant Monitoring. Monitored once every five minutes. SmoothTunnel VPN Certificate Monitor Validates Advanced Firewall VPN certificates and issues warnings about potential problems. Output System Test Messages Catches test alerts generated for the purposes of testing the Advanced Firewall Output systems. SmoothRule Violations Monitors outbound access activity and generates warnings about suspicious behavior. Hardware Failover Notification Generates messages when a hardware failover occurs. Constant Monitoring Health Monitor Checks on remote services for activity. Constant Monitoring. System Resource Monitor These alerts are triggered whenever the system resources exceed predefined limitations. i. Constant monitoring. Monitoring is constant. Alert Description VPN Tunnel Status VPN Tunnel status notifications occur when an IPSEC Tunnel is either connected.e. Firewall Notifications Monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. Inappropriate word in IM Generates an alert whenever a user uses an inappropriate word or Monitor phrase in IM chat conversation Administration Login Failures 228 Monitors both the Secure Shell (SSH) and Web Interface services for failed login attempts. Traffic Statistics Monitor These alerts are triggered whenever the traffic flow for the external interface exceeds certain thresholds. or impending expiration dates. or when failover machines are forced on and offline. Hardware failure alerts. IM proxy monitored word Monitors instant messaging chats activity and generates warnings alert based on excessive use of inappropriate language. Reverse proxy violations Monitors reverse proxy activity and generates warnings about connectivity issues.Information. Power Supply status warnings Generates messages when server power switches to and from mains supply. Monitored once an hour. System Service Monitoring This alert is triggered whenever a critical system service changes statues. Monitored once every five minutes. External Connection Failover Monitors the external connection(s) and alerts in the case of failover.

i. 229 . 4 Click Save. Monitored once every five minutes.e. Select this option to send the alert(s) individually as soon as they are triggered. Mail Queue Monitor Watches the email queue and informs if the number of messages therein exceeds a certain threshold. is turned on or restarted. To enable alerts: 1 Browse to the Logs and reports > Alerts > Alerts page. 3 For each alert you want to send. Constant Monitoring. Enable instantaneous alerts By default.Smoothwall Advanced Firewall Administrator’s Guide Alert Description Intrusion System Monitor These alerts are triggered by violations and notices generated by the intrusion system by suspicious network activity. Update Monitoring Monitors the system for new updates once an hour. Advanced Firewall queues alerts in two minute intervals. see Configuring Groups on page 254. and then distributes a merged notification of all alerts. Monitored once an hour System Boot (Restart) Notification This alert is generated whenever the system is booted. select the delivery method: SMS or Email. Enabling Alerts Advanced Firewall contains a comprehensive set of incident alerting controls. For information on creating a group. select a group of recipients and click Select. 2 Configure the following settings: Setting Description Group name From the drop-down list.

The content of the alert will be displayed on a new page. averages greater than 3. that generates an alert once exceeded.0. To adjust the settings: 1 Enter or choose appropriate settings for each of the following controls: Setting Description System load average Used to set a threshold for the average number of processes waiting to use the processor(s) over a five minute period.0) may merit attention. 230 . To access the alert settings: 1 Browse to the Logs and reports > Alerts > Alert settings page. prolonged periods of high load (for example. Disk usage Used to set a disk space usage percentage threshold. While higher values are not uncommon. Configuring the System Resource Alert This alert is triggered whenever particular system resources exceed some predefined limitations. A system operating at normal performance should record a load average of between 0.0 and 1.Information. Low amounts of free disk space can adversely affect system performance. Alerts and Logging Alerts Looking up an Alert by Its Reference To view the content of an alert that has already been sent: 1 Enter the alert’s unique ID into the Alert ID field and click Show. Configuring Alert Settings The following sections explain how to configure Advanced Firewall alert settings.

modules and services that should generate alerts when they start or stop. 2 Click Save. Note: The adjacent Warning threshold and Incident threshold fields can be used to set the respective levels at which alerts are generated for each type of activity. Monitor Source (remote) Ports Detects suspicious inbound communication from remote ports.e. enter a comma separated list of ports into the appropriate Ignore fields. Configuring the System Service Alert This alert is triggered whenever a critical system service changes states. Monitor Detects suspicious inbound communication to local ports. so higher than expected memory usage may not be a concern. Advanced Firewall uses system memory aggressively to improve system performance. Health monitor alerts are intended to enable you to keep an eye on various aspects of your network which are usually outside of the remit of Advanced Firewall. Monitor Detects suspicious inbound communication to local IP addresses. Alerts will Destination (local) be generated if a rapid series of inbound requests to the same local IP IP Addresses address is detected. Configuring the Firewall Notifications Alert This alert monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. that generates an alert once exceeded. starts or stops. To adjust the settings for this alert: 1 Select the components. Note: To exempt particular ports from monitoring. prolonged periods of high memory usage may indicate that the system could benefit from additional memory. The health monitor provides the following checks and alerts: 231 . i. Ports 2 Click Save. Alerts will be generated if a rapid series of inbound requests from the same remote port is detected. Configuring the Health Monitor This alert is triggered whenever a remote service fails to report activity. To adjust the settings: 1 Enter or choose appropriate settings for each of the following controls: Setting Description Monitor Source (remote) IP addresses Detects suspicious inbound communication from remote IP addresses. However. Click Save.Smoothwall Advanced Firewall Administrator’s Guide 2 Setting Description System memory usage Used to set a system memory usage percentage threshold. Alerts will be Destination (local) generated if a rapid series of inbound requests to the same local port is detected. Alerts will be generated if a rapid series of inbound requests from the same remote IP address is detected.

Configuring the Inappropriate Word in IM Monitor Alert These alerts are generated whenever a user uses an inappropriate word or phrase in instant messaging chat conversations.htm Note: Omit http:// when entering the URL. select the protocol of the service you want to check for a response. an alert is generated. Enabled on sent text 232 Select to generate the alert when an inappropriate word is used in a message sent by a local user. for example: example.com/index. tries to retrieve the specified web page and check that it contains specific keywords. port numbers and number of tries. if applicable. . No of tries Enter the number of times Advanced Firewall should check the address and not receive a response before generating an alert. 4 Click Add for each service. Assuming the page has been retrieved and the keywords are missing. Setting Description IP Address Enter the IP address. To configure the alert: 1 Configure the following settings: Setting Description Enabled on received text Select to generate the alert when an inappropriate word is used in a message received from a remote user. Keywords Enter the keywords to be checked in the page. Setting Description Request URL Enter the URL of the web page you want retrieved and checked for keywords. Port Enter the port number. Other Services Checks that the specified port is open and offering a service. Address Enter the domain address. Protocol From the drop-down list. DNS Name Resolution Checks that a domain has not expired or been hijacked. This is for detecting defacement. IP address or name. No of tries Enter the number of times Advanced Firewall should try to retrieve the page. 2 Enter keywords. To configure the alert: 1 For the services. Select Other to check that there is any response to connections on the associated port. 3 Select the protocol. enter the URL.Information. Setting Description Name Enter the domain name. Alerts and Logging Alerts Web Servers (HTTP) When enabled.

Click Save to save the settings. To configure the alert(s): 1 2 Enable the following setting(s): Setting Description Monitor POP3 proxy for viruses Select to alert when malware is detected when downloading via POP3. these alerts are triggered when malware being relayed via SMTP or downloaded via POP3 are detected. select the threshold above which an alert will be generated. For information on the Message censor threshold. 233 . Realtime The realtime pages provide access to realtime information about your system. Click Save to enable the alerts.Smoothwall Advanced Firewall Administrator’s Guide 2 Setting Description Generate alert for each message which exceeds the Message Censor severity threshold Select to generate an alert when the Message Censor threshold is exceeded. Generate alert when users exceed the rate of inappropriate messages Select to generate an alert when users exceed the specified number of inappropriate messages within a 15 minute period. see Chapter 8. Monitor SMTP relay for viruses Select to alert when malware is detected when relaying via SMTP. To configure and enable the alert: 1 2 Configure the following settings: Setting Description Threshold number of messages Enter the number of messages above which the alert is triggered. Configuring the Mail Queue Monitor Alert This alert is triggered the number of messages in the email queue exceeds a the specified threshold. Number of inappropriate messages in 15 mins Specify how many inappropriate messages to allow in a 15 minute period before generating an alert. Censoring Message Content on page 109. From the drop-down list. Configuring the Email Virus Monitor Alert When configured. Realtime System Information The System page is a realtime version of the system log viewer with some filtering options. Click Save to save the settings and enable the alert.

Alerts and Logging Realtime To access the System page: 1 Browse to Logs and reports > Realtime > System page. By default. select the component and click Update. 234 . all information in the system log is displayed and updated automatically approximately every second.Information. If there is information on the component available in the system log. All entries in the firewall log are from packets that have been blocked by Advanced Firewall. Realtime Firewall Information The Firewall page is a realtime version of the firewall log viewer with some filtering options. it is displayed in the Details area. To display information on specific components: 1 From the Section drop-down list.

information is displayed and updated automatically approximately every second. Realtime IPsec Information The IPSec page is a realtime version of the IPSec log viewer with some filtering options. By default.Smoothwall Advanced Firewall Administrator’s Guide To access the page: 1 Browse to Logs and reports > Realtime > Firewall page. To display information on specific sources and destinations: 1 Enter a complete or partial IP address and/or port number in the fields and click Update. 235 .

Information. select the tunnel. For more information on portals. Working with Portals on page 81. Realtime Portal Information The Portal page displays realtime information on users accessing Advanced Firewall portals. To access the portal page: 1 Browse to Logs and reports > Realtime > Portal page. Alerts and Logging Realtime To access the IPSec page: 1 Browse to Logs and reports > Realtime > IPSec page. If there is information available in the system log. To display information on a specific tunnel: 1 2 Configure the following settings: Setting Description Connection From the drop-down list. all information in the log is displayed and updated automatically approximately every second. Click Update. it is displayed in the Details area. see Chapter 8. Show only lines connecting Enter the text you are looking for. By default. 236 .

To view IM conversations: 1 Browse to Logs and reports > Realtime > IM proxy page. You can use the following settings to manage how the conversation is displayed.Smoothwall Advanced Firewall Administrator’s Guide Realtime Instant Messaging The IM proxy page is a realtime version of the IM proxy log viewer with some filtering options. 2 In the Username or IP address field. the remote username is denoted in green. it is automatically displayed in the Details area. Active conversations which have had content added to them within the last minute are displayed in bold text in the left pane. local conversations are likely to be displayed twice as users are recognized as both local and remote. enter the username or IP address. the remote username will be displayed in the normal style font. Note: As most IM clients communicate with a central server. in the Show only lines containing field. The local username is denoted in blue. If there is information available in the web filter log. If the text is found. it is automatically displayed in the Details area. enter the text. If nothing has been said for more than a minute. 237 . 3 To show lines containing specific text. Realtime Traffic Graphs The Traffic graphs page displays a realtime graph of the bandwidth in bits per second being used by the currently selected interface. The page displays a view of ongoing conversations for each of the monitored protocols and displays a selected conversation as it progresses.

Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing bandwidth. Clicking on an interface displays its current traffic. Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming bandwidth. 238 . email and proxy information.Information. The Interfaces area displays a list of the active interfaces on Advanced Firewall. firewall. Logs The log pages display system. intrusion system. Alerts and Logging Logs To access the traffic graphs page: 1 Browse to Logs and reports > Realtime > Traffic graphs page. IPsec.

To access system logs: 1 Browse to the Logs and reports > Logs > System page. 239 .Smoothwall Advanced Firewall Administrator’s Guide System Logs The system logs contain simple logging and management information.

To view specific information: 1 Select the filtering criteria using the Settings area and click Update. shutdown. System – Displays server log information. Month Used to select the month that log entries are displayed for. A single column is displayed containing the time of the event(s) and descriptive messages. including startup. You will need an Excel-compatible spreadsheet application to view these reports. Export all dates Exports the currently displayed log for all available dates. Kernel – Log messages from the core Advanced Firewall operating system. Alerts and Logging Logs The following filter criteria controls are available in the Settings area: Control Description Section Used to select which system log is displayed.Information. Message censor – Displays information from the message censor logs. Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel format. System – Simple system log messages. Tab Separated Value – The information is exported separated by tabs. 240 . Update transcript – Displays information on update history. VIPRE engine – Displays information on the anti-malware engine. UPS – Log messages from the UPS system. The following options are available: Authentication service– Log messages from the authentication system. SystemD – Log messages from the system super server. including service status messages. reboot and service status messages. IM Proxy – Log messages from the instant messaging proxy service. Monitor – Displays monitoring system information including service status and alert/ report distribution audit trail. Raw Format – The information is exported without formatting. including service status messages and user authentication audit trail. SSH – Log messages from the SSH system. Export format Logs can be exported in the following formats: Comma Separated Values – The information is exported in comma separated text format. NTP – Log messages from the network time system. Day Used to select the day that log entries are displayed for.

Filtering Firewall Logs The following filter criteria controls are available in the Settings area: Control Description Section Used to select which firewall log is displayed.Smoothwall Advanced Firewall Administrator’s Guide Firewall Logs The firewall logs contain information on network traffic. Compression Used to ghost repeated sequential log entries for improved log viewing. 241 . To view the firewall logs: 1 Browse to the Logs and reports > Logs > Firewall page. Month Used to select the month that log entries are displayed for. The content of each section is discussed below. Day Used to select the day that log entries are displayed for.

Tab Separated Value – The information is exported separated by tabs. Export format Logs can be exported in the following formats: Comma Separated Values – The information is exported in comma separated text format. Forward audit All traffic passing through one interface to another – if Forwarded traffic is enabled on the Networking > Settings > Advanced page. Destination Enter an IP address and click Update to display log entries for that destination address. Incoming audit All traffic to all interfaces that is destined for the firewall – if Direct incoming traffic is enabled on the Networking > advanced page. Export all dates Exports the currently displayed log for all available dates. Select a port and click Update to display log entries for that port. Alerts and Logging Logs Control Description Source Enter an IP address and click Update to display log entries for that source address. Outgoing rejects All data packets from the internal network zones that were rejected by an outbound access rule.Information. You will need an Excel-compatible spreadsheet application to view these reports. Select a port and click Update to display log entries for that port. Outgoing audit All traffic leaving from any interface – if Direct outgoing traffic is enabled on the Networking > Settings > Advanced page. Outgoing stealth All data packets from the internal network zones that were logged but not rejected by an outbound access rule. Src port This drop-down list is populated with a list of all source ports contained in the firewall log. Raw Format – The information is exported without formatting. Port forwards All data packets from the external network that were forwarded by a port forward rule – if port forward logging is enabled on the Networking > Firewall > Port forwarding page. Microsoft (tm) Excel (. Dst port This drop-down list is populated with a list of all destination ports contained in the firewall log. The list of possible sections that can be viewed are as follows: 242 Section Description Main All rejected data packets. .xls) – The information is exported in Microsoft Excel format.

Blocking by IP on page 51 for more information. IPSec Logs IPSec logs show IPSec VPN information. 243 . Source The IP address of the data packet's sender. Out The interface at which the data packet left. 3 Click Add to IP block list. In The interface at which the data packet arrived. Dst port The inbound port number used by the data packet. 2 Select one or more source or destination IPs. To use whois: 1 Navigate to the Logs and reports > Logs > Firewall page. 3 Click Lookup. Blocking a Source IP The firewall log viewer can be used to add a selected source or destination IP to the IP block list. The following columns are displayed: Column Description Time The time that the firewall event occurred.Smoothwall Advanced Firewall Administrator’s Guide Viewing Firewall Logs To view firewall logs. Src Port The outbound port number used by the data packet. See Chapter 5. The selected source and destination IPs will be automatically added to the IP block list which you can review on the Networking > Filtering > IP block page. Destination The IP address of the data packet's intended destination. Looking up a Source IP – whois The firewall log viewer can be used to find out more information about a selected source or destination IP by using the whois tool. A lookup is performed and the result displayed on the System > Diagnostics > whois page. select the appropriate filtering criteria using the Settings area and click Update. To block a source IP: 1 Navigate to the Logs and reports > Logs > Firewall page. 2 Select a particular source or destination IP in Source and Destination columns. Protocol The network protocol used by the data packet.

Information, Alerts and Logging
Logs
To access the logs:
1

On Logs and reports > Logs > IPSec.

2

Choose the tunnel you are interested in by using the Tunnel name control.

3

To view the logs for all of the tunnels at once, choose ALL as the tunnel name.

4

After making a change, click Update.

Exporting Logs
To export and download all log entries generated by the current settings, click Export.

Exporting all dates
To export and download all log entries generated by the current settings, for all dates available, select
Export all dates, and click Export.

Viewing and Sorting Log Entries
The following columns are displayed in the Web log region:
Column

Description

Time

The time the tunnel activity occurred.

Name

The name of the tunnel concerned.

Description Log entries generated by the VPN system.
Log entries are displayed over a manageable number of pages. To view a particular page, click its
Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous),
> (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages.
To sort the log entries in ascending or descending order on a particular column, click its Column title
hyperlink. Clicking the currently selected column reverses the sort direction.

244

Smoothwall Advanced Firewall
Administrator’s Guide

Email Logs
Email logs provide detailed, configurable and searchable information on email activity regarding time,
sender recipient, subject and spam status.

Configuring Email Logs
To access and configure email logs:
1

Navigate to the Logs and reports > Logs > Email page. Advanced Firewall displays the currently
configured log entries.

2

Click Advanced, the following options are displayed:

3

Option

Description

Sender

Select to display who sent the email message(s).

Recipient

Select to display who the email message(s) are for.

Subject

Select to display to display the subject line of the email message(s).

Spam

Select to display information on message(s) that have been classified as spam.

Select the options you want to display. Advanced Firewall updates what is displayed.

Monitoring Email Log Activity in Realtime
It is possible to monitor email log activity in realtime.
To monitor email log activity in realtime:
1

On the Logs and reports > Logs > Email page, click Realtime. Advanced Firewall displays the
currently configured log options in realtime in a table of log entries and in the email graph. The results
are updated automatically.

Tip:

To get a closer look at what is happening at a specific time, locate and click on that time in the graph.
Advanced Firewall stops the realtime display and shows what has been logged at the time you
clicked on.

2

To stop realtime monitoring, click Realtime. Advanced Firewall stops displaying realtime data.

245

Information, Alerts and Logging
Logs

Searching for/Filtering Email Log Information
Advanced Firewall enables you to search for/filter information in a number of ways.
To search for/filter information:
1

On the Logs and reports > Logs > Email page, use one or more of the following methods:
Method

Description

Graph

On the graph, locate and click on the time you are interested in. Advanced Firewall
displays what was logged at the time you clicked on.

Time

Click in the date and time picker and specify when to search from. Click Apply.
Advanced Firewall displays the results from the time specified and two hours
forward.

Free search In the Sender, Recipient, Subject and/or Spam column(s), enter one or more search
term
terms. Advanced Firewall displays the search results.

Exporting Email Data
It is possible to export logged data in comma-separated (CSV) format.
To export data:
1

On the Logs and reports > Logs > Email page, configure or search for the data you want export.
For more information, see Configuring Email Logs on page 245 and Searching for/Filtering Email Log
Information on page 246 Information.

2

Click Export. Follow your browser’s prompts to save and export the data.

IDS Logs
The IDS logs contain details of suspicious network activity detected by Advanced Firewall’s intrusion
detection system (IDS).
To view the IDS logs:
1

Navigate to the Logs and reports > Logs > IDS page.

Advanced Firewall displays the results.

246

Option

Select to:

Month

Specify which month you wish to view logs for.

Day

Specify which day you wish to view logs for.

Smoothwall Advanced Firewall
Administrator’s Guide

Option

Select to:

Export format

Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.

Export all dates

Exports the currently displayed log for all available dates.

Exporting Logs
To export logs:
1

Filter the logs to show the information you want to export.

2

Select the export format and if you want to export all dates.

3

Click Export. To save the exported log, use the browser's File, Save As option.

IPS Logs
The IPS logs contain details of suspicious network activity prevented by Advanced Firewall’s intrusion
prevention system (IPS).
To view the IDS logs:
1

Navigate to the Logs and reports > Logs > IPS page.

Advanced Firewall displays the results.
Option

Select to:

Month

Specify which month you wish to view logs for.

Day

Specify which day you wish to view logs for.

247

Information, Alerts and Logging
Logs

Option

Select to:

Export format

Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.

Export all dates

Exports the currently displayed log for all available dates.

IM Proxy Logs
The IM proxy log page displays a searchable log of instant messaging conversations and file
transfers.
To view the IM proxy logs:
1

Browse to Logs and reports > Logs > IM proxy page.

The following settings are available:
Setting

Description

Local user filter Enter the name of a local user whose logged conversations you want to view.

248

Smoothwall Advanced Firewall
Administrator’s Guide

Setting

Description

Enable local
user filter

Select to display conversations associated with the local user name entered.

Remote user
filter

Enter the name of a remote user whose logged conversations you want to view.

Enable remote
user filter

Select to display conversations associated with the remote user name entered.

Enable smilies

Select to display smilies in the conversation.

Enable links

Select to make links in the conversation clickable.

Search

Here you can enter a specific piece of text you want to search for.

Conversations

Enables you to browse conversations by instant messaging protocol, user ID
and date.

Web Proxy Logs
The proxy logs contain detailed information on all Internet access made via the web proxy service. It
is possible to filter the proxy logs using any combination of requesting source IP, and requested
resource type and domain.
To view the web proxy logs:
1

Browse to Logs and reports > Logs > Web proxy page.

Reverse Proxy Logs
The reverse proxy logs contain time, source IP and web site information about requests made using
the reverse proxy service.
To view reverse proxy logs:
1

Browse to the Logs and reports > Logs > Reverse proxy page.

249

Information, Alerts and Logging
Logs

Filtering Reverse Proxy Logs
The following filter criteria controls are available in the Settings area:
Control

Description

Month

Used to choose the month that proxy logs are displayed for.

Day

Used to choose the day that proxy logs are displayed for.

Year

Used to choose the year that proxy logs are displayed for.

Ignore filter

Used to enter a regular expression that excludes matching log entries.
The default value excludes common log entries for image, JavaScript, CSS
style and other file requests.

Enable ignore
filter

Select to enable the filter.

Domain filter

Used to display log entries recorded against a particular domain.
Matching will occur on the start of the domain part of the URL. For example,
www.abc will match www.abc.com and www.abc.net but not match
abc.net.
It is possible to include regular expressions within the filter – for example
(www.)?abc.com will match both abc.com and www.abc.com.

Enable domain
filter

Select to enable the filter.

Export format

Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.

Export all dates

Exports the currently displayed log for all available dates.

Note: When running SSL VPNs in TCP mode, the reverse proxy access logs generated for HTTPS requests
will contain a source address of 127.0.0.1. This is because OpenVPN has to proxy the HTTPS
traffic. Therefore, from Advanced Firewall’s point of view, the traffic is originating from localhost.

Viewing Reverse Proxy Logs
To view proxy logs:
1

250

Select the appropriate filtering criteria using the Settings area and click Update. Proxy logs are
displayed in the Proxy log area. The following columns are displayed:
Column

Description

Time

The time the web request was made.

Source IP

The source IP address the web request originated from.

Website

The URL of the requested web resource.

Smoothwall Advanced Firewall
Administrator’s Guide

User Portal Logs
The User portal log page displays information on users who have accessed user portals.
To view user portal log activity:
1

Browse to the Logs and reports > Logs > User portal page.

Advanced Firewall displays the information.

Configuring Log Settings
Advanced Firewall can send syslogs to an external syslog server, automatically delete log files when
disk space is low and set the maximum log file retention settings.
To configure logging settings:
1

Browse to the Logs and reports > Logs > Log settings page.

2

In the Syslog logging area, select the logging you require.

251

Information, Alerts and Logging
Configuring Log Settings
3

To enable and configure remote logging, configure the following settings:
Setting

Description

Remote syslog

To send logs to an external syslog server, select this setting.

Syslog server

If you have selected the Remote syslog option, enter the IP address of the
remote syslog server.

Default
retention

To set default log retention for all of the logs listed above, select one of the
following settings:
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2 months.
Three months – Rotate the log file monthly and keep the last 3 months.
Four months – Rotate the log file monthly and keep the last 4 months.
Five months – Rotate the log file monthly and keep the last 5 months.
Six months – Rotate the log file monthly and keep the last 6 months.
Seven months – Rotate the log file monthly and keep the last 7 months.
Eight months – Rotate the log file monthly and keep the last 8 months.
Nine months – Rotate the log file monthly and keep the last 9 months.
Ten months – Rotate the log file monthly and keep the last 10 months.
Eleven months – Rotate the log file monthly and keep the last 11 months.
A year – Rotate the log file monthly and keep the last 12 months.

4

Optionally, to set an individual retention period for specific logs, click Advanced and configure the
settings displayed.

5

Click Save. Advanced Firewall will log and retain the information you have specified and, if
configured, send logs to the remote syslog server.

Configuring Other Log Settings
Advanced Firewall enables you to configure retention settings for other logs.
To configure other logs:
1

252

Browse to the Logs and reports > Logs > Log settings page.

Smoothwall Advanced Firewall
Administrator’s Guide
2

In the Other logging area, configure the following settings:
Setting

Description

Default
retention

To set default log retention for all of the logs listed in the table below, select one
of the following settings:
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2 months.
Three months – Rotate the log file monthly and keep the last 3 months.
Four months – Rotate the log file monthly and keep the last 4 months.
Five months – Rotate the log file monthly and keep the last 5 months.
Six months – Rotate the log file monthly and keep the last 6 months.
Seven months – Rotate the log file monthly and keep the last 7 months.
Eight months – Rotate the log file monthly and keep the last 8 months.
Nine months – Rotate the log file monthly and keep the last 9 months.
Ten months – Rotate the log file monthly and keep the last 10 months.
Eleven months – Rotate the log file monthly and keep the last 11 months.
A year – Rotate the log file monthly and keep the last 12 months.

3

4

Click Advanced to see what other logs are available and to determine if you want to set individual
log retention settings.
Setting

Description

Default retention

From the drop-down menu, select the default retention period you want to
use for advanced logging settings. To set individual retention periods,
configure the settings below.

Intrusion
detection logs

From the drop-down menu, select how long you want to keep intrusion
detection logs.

Intrusion
prevention logs

From the drop-down menu, select how long you want to keep intrusion
prevention logs.

IM logs

From the drop-down menu, select how long you want to keep instant
messaging logs.

Click Save. Advanced Firewall will now retain the logs as you have specified.

Managing Automatic Deletion of Logs
Advanced Firewall can be set to automatically delete log files if there is a limited amount of free disk
space available.
To configure automatic log deletion:
1

Browse to the Logs and reports > Logs > Log settings page.

2

In the Automatic log deletion area, configure the settings:
Setting

Description

Delete old logs when free space
is low

Select to automatically delete logs when the specified
amount of disk space has been used.
253

Information, Alerts and Logging
Configuring Groups

3

Setting

Description

Amount of disk space to use for
logging

From the drop-down list, select the level at which Advanced
Firewall will delete logs.

Click Save. Advanced Firewall will delete the logs when the specified amount of disk space has been
used.

Configuring Groups
The Groups page is used to create groups of users which can be configured to receive automated
alerts and reports.

Creating Groups
To create a group of users:
1

Browse to the Logs and reports > Settings > Groups page.

2

Configure the following settings:
Setting

Description

Group name From the Group name drop-down list, select Empty and click Select.
Name
3

4
254

Enter a name for the group.

Click Save. Advanced Firewall creates the group. In the Add user area, configure the following
settings:
Setting

Description

Name

Enter a user's name.

SMS number

If required, enter the user’s SMS number details

Comment

Optionally, enter a description or comment.

Email address

If required, enter the user's email address.

Enable HTML Email

Select if you want emailed reports to be sent in HTML format.

Select Enabled to ensure that the user will receive any reports or alerts that are sent to the group.

Smoothwall Advanced Firewall
Administrator’s Guide
5

Click Add. The user's details will be added to the list of current users in the Current users region.

Editing a Group
To edit a group:
1

Browse to the Logs and reports > Settings > Groups page.

2

Choose the group that you wish to edit using the Group name drop-down list. Click Select to
display the group.

3

Make any changes to the group using the controls in the Add a user and Current users areas.

Deleting a Group
To delete a group:
1

Browse to the Logs and reports > Settings > Groups page.

2

Select the group to be deleted using the Group name drop-down list.

3

Click Delete.

Configuring Output Settings
Reports and alerts are distributed according to Advanced Firewall’s output settings. In order to send
reports and alerts, Advanced Firewall must be configured to operate with mail servers and email-toSMS gateway systems.
To access output settings:
1

Browse to the Logs and reports > Settings > Output settings page.

255

A wide variety of different email-to-SMS gateway services are available. %%EMAIL%% The recipient's email address. While there are a few conventions. %%--%% A special placeholder that indicates that all text following it should be truncated to 160 characters. 256 . it is necessary to configure Advanced Firewall so that it can format email messages in the format specified by your email-to-SMS gateway service provider.com. so that any truncation is only applied to the actual alert content.Information.From: %%HOSTNAME%% (%%DESCRIPTION%%) %%ALERT%% .. Advanced Firewall uses placeholder tags that can be incorporated into an email template. it extracts the information it needs and composes an SMS message which is then sent. Advanced Firewall can be configured to truncate messages – in this mode. %%HOSTNAME%% The hostname of the Advanced Firewall system (useful when using multiple firewall systems). In situations where truncation is enabled.com If the content of the message should be entered in the email message body. %%SMS%% The recipient SMS number. usually the destination SMS number is placed in the email's subject line. Unfortunately.From: %%DESCRIPTION%% %%ALERT%% -%%HOSTNAME%% %%ALERT%% :%%DESCRIPTION%% (%%HOSTNAME%%) Some email-to-SMS gateways cannot process messages whose content is longer then 160 characters. When an email-to-SMS gateway receives an email. The placeholder tags available are as follows: Placeholder Description %%ALERT%% The content of the alert message. To compensate for this. all characters past position 155 are removed and the text: . each has its own definition of the format that an email should arrive in. + is appended to the message to indicate that truncation has occurred. Alerts and Logging Configuring Output Settings About Email to SMS Output Advanced Firewall generates SMS alerts by sending emails to a designated email-to-SMS gateway. This requires truncation to be enabled (indicated by the Truncate SMS messages to 160 characters option). For example.From: %%HOSTNAME%% %%ALERT%% . %%DESCRIPTION%% The description of the Advanced Firewall system (useful when using multiple firewall systems). the following configuration would provide this: %%SMS%%@sampleSMS. if an email-to-SMS gateway requires emails to be sent to: <telephone number>@sampleSMS. the following configuration would provide this: %%ALERT%% Networks with multiple Advanced Firewall systems may wish to include detail of the system that the alert was generated by. A further complication is caused by email-to-SMS gateways that require parameters such as usernames and passwords to be set within the email's message body. insert the special %%--%% placeholder at the start of the actual message content. such additional (yet required) parameter text may force truncation of the actual alert. About Placeholder Tags To allow easy configuration of message formats for different service providers. the following examples would provide this: %%ALERT%% .

Output to Email To configure email settings: 1 Browse to Logs and reports > Settings > Output settings.Smoothwall Advanced Firewall Administrator’s Guide Configuring Email to SMS Output To configure Advanced Firewall's SMS settings: 1 Browse to Logs and reports > Settings > Output settings. use the %%--%% placeholder to indicate its start position. This may be a regular email address. configure the following settings: Setting Description SMTP server Enter the hostname or IP address of the SMTP server to be used by Advanced Firewall. Truncate SMS messages to 160 characters Select if you want the content of SMS message body to be truncated to 160 characters or if your email-to-SMS gateway service provider instructs you to do so. 2 Click Send test. Sender's email address field Enter the sender's email address. This will often contain the %%SMS%% placeholder as many email-toSMS gateways use the subject line for this purpose. Password If using SMTP auth. enter the cell phone number of the person who is to receive the test. enter the password. 2 In the Email to SMS Output System area. Testing Email to SMS Output To test the output system: 1 In the Send test to: field. or it may require additional placeholders such as %%SMS%% to identify the destination of the SMS. 2 In the SMTP (Email) Output System area. Enable SMTP auth Select to use SMTP auth if required. 3 Click Save. SMS message body Enter additional parameters and the content of the alert message. SMS subject line Enter the subject line of the SMS email in the SMS subject line field as specified by your email-to-SMS service provider. 257 . This would typically be a valid email address reserved and frequently checked for IT administration purposes. If the truncation is required from a particular point onwards. SMS to address Specify the formatting of the email's To: address according to the format required by your service provider. This might also be an email address that is registered with your email-to-SMS gateway provider. enter the username. configure the following settings: Setting Description SMTP server Enter the hostname or IP address of the SMTP server to be used by Advanced Firewall. Username If using SMTP auth.

Username If using SMTP auth. Password If using SMTP auth.Information. 3 Enable SMTP auth Select to use SMTP auth if required. enter the password. Click Save. This would typically be a valid email address reserved and frequently checked for IT administration purposes. Alerts and Logging Configuring Output Settings Setting Description Sender's email address Enter the sender's email address. This might also be an email address that is registered with your email-to-SMS gateway provider. Generating a Test Alert To generate a test alert: 1 Configure Email to SMS output and/or SMTP (Email) output. 258 . 2 Click Generate test alert. enter the username.

Smoothwall’s support systems are directly integrated with Advanced Firewall’s system update procedure. Installing Updates Administrators should use Advanced Firewall's update facility whenever a new update is released. 259 . Note: If Advanced Firewall is configured for failover. allowing the Smoothwall support department to track the status of your system. System updates may also include general product enhancements as part of Smoothwall’s commitment to continuous product improvement.Chapter 13 Managing Your Advanced Firewall In this chapter: • Installing system and security updates • Managing module installations and product licensing • Creating and restoring archives • Scheduling automatic maintenance • Shutting down and restarting • Setting system preferences • Configuring administration and access settings • Managing tenants • Configuring UPS devices. Advanced Firewall must be connected to the Internet in order to discover. see Installing Updates on a Failover System on page 260 for information on how to proceed. modems. hardware failover and firmware settings • Producing diagnostic files • Managing certificates. download and install system updates. Installing Updates The following section explains how to install updates. Updates are typically released in response to evolving or theoretical security threats as they are discovered.

Download updates Click to download all available updates. Any updates available will be listed in the Available updates area. 260 . 5 When the failover unit is up and running again.Managing Your Advanced Firewall Installing Updates To install updates: 1 Navigate to the System > Maintenance > Updates page. 4 On the System > Maintenance > Shutdown page. install the updates on the master and reboot. reboot the failover unit. 2 Configure the following settings: 3 Setting/button Description Refresh update list Click to get a list of available updates. 3 Go to the failover unit’s web interface and install the pending updates. Clear download cache Click to clear any downloaded updates stored in the cache. Following theses steps ensures the correct application of all pending updates and also performs a failover test between the master and the failover unit. During master downtime. Install updates Click to install all updates in the Pending updates area immediately Install at this time Enter the time at which you want to install the updates if you do not want to install them immediately and click Install at this time. Installing Updates on a Failover System The following section explains how to install updates on a failover system. Once they have been installed. To install updates on a failover system: 1 On the master’s System > Maintenance > Updates page. the updates are listed in the Pending updates area. reboot the system on the System > Maintenance > Shutdown page. Once downloaded. the failover unit is active and remains so until the master is live again. This should happen within 5 minutes. 2 Wait until the updates have been transferred to the failover unit. If the update requires a reboot. the failover unit displays information on the update and prompts for a reboot. download the updates.

Removing a Module To remove a module: 1 Navigate to the System > Maintenance > Modules page. locate the module and click Remove. as yet un-discovered. Smoothwall. security threats. For further information. please consult your Smoothwall partner or. Note: The information displayed depends on the product series you are using. To install a module: 1 Navigate to the System > Maintenance > Modules page. 2 In the Available modules area. Please read the module description carefully prior to installation. 3 Reboot Advanced Firewall on the System > Maintenance > Shutdown page. 2 In the Installed modules area.Smoothwall Advanced Firewall Administrator’s Guide Managing Modules Advanced Firewall's major system components are separated into individually installed modules. or removed in order to simplify administration and reduce the theoretical risk of. Modules can be added to extend Advanced Firewall’s capabilities. Advanced Firewall must be connected to the Internet in order to install modules. Note: Some module installations require a full reboot of Advanced Firewall. 261 . locate the module and click Install. Note: Modules must be registered against your Advanced Firewall serial number before they can be installed and used. if purchased directly.

installation and activation is an automated process. To install additional licenses: 1 Navigate to the System > Maintenance > Licenses page. Note: The information displayed depends on the Smoothwall product you are using. initiated via a secure request to Smoothwall licensing servers. 2 Click Refresh license list. 262 . They can also be used to create clones of existing systems. Archives The Archives page is used to create and restore archives of system settings. and any new licenses will be installed. Installing Licenses You can buy additional licenses from Smoothwall or an approved Smoothwall partner. see the documentation delivered with your Smoothwall add-on module.Managing Your Advanced Firewall Licenses Licenses Advanced Firewall contains information on licenses and subscriptions. To view license information: 1 Navigate to the System > Maintenance > Licenses page. Archives can be saved on removable media and used when restoring a Advanced Firewall system. License. This will cause the available license information to be updated via the Internet. For more information. Note: The Subscriptions area is used to manage blocklists used by add-on modules.

Profiles are also used to store settings for Smoothwall replication systems. Select the components you want to archive or select All to select and archive all settings. Creating an Archive To create an archive: 1 Navigate to the System > Maintenance > Archives page. 2 Configure the following settings: Settings Description Profile To create a new profile. from the drop-down list select the profile and click Select. select the archive. Note: You can automatically schedule the creation of backup archives. see Scheduling on page 264. Centrally Managing Smoothwall Systems on page 291 Logs 3 Select the log files you want to archive or select All to select and archive all logs. 263 . Centrally Managing Smoothwall Systems on page 291. Comment Enter a description for the archive. Settings Settings available include general settings for Advanced Firewall and replicable settings which can be used in a Smoothwall system. For more information on replication in Smoothwall systems.Smoothwall Advanced Firewall Administrator’s Guide Tip: Log on to our support portal and read how to set up a Windows SSH server with keys in order to backup system settings. You can create and assign up to 20 profiles and generate their archives automatically. Downloading an Archive To download an archive: 1 In the Archives area. from the drop-down list. Automatic backup Select if you want to archive settings automatically. see Chapter 14. For more information. To reuse or modify an existing profile. Indicates that the setting can be replicated. see Chapter 14. Click Save and backup to create the archive. For further information. select Empty and click Select. Profile name Enter a name for the profile. About Archive Profiles You can assign a profile to an archive enabling you to specify which components you want backed up in a particular archive. 2 Click Download and save the archive to disk using the browser's Save as dialog box.

Managing Your Advanced Firewall Scheduling Restoring an Archive To restore an archive: 1 In the Archives area. Other system modules can integrate with the scheduler to provide additional automated maintenance tasks. modules and license upgrades using the scheduler. 2 Click Restore. select the archive. You can also use the scheduler to create and remotely archive automatic backups. select the archive and click Delete. 3 Select the components in the archive that you want to restore and click Restore. Deleting Archives To delete an archive: 1 In the Archives area. 3 Click Upload to upload the archive. 2 Navigate to and select the archive. enter the name of the archive and click Browse. Uploading an Archive This is where you upload archived settings from previous versions of Advanced Firewall and Smoothwall modules so that they can be re-used in the current version(s). The archive contents are displayed. 264 . To upload an archive: 1 In the Upload area. Scheduling You can configure Advanced Firewall to automatically discover and download system updates.

265 . Check for new updates Select to check for new system updates. select the day of the week that the tasks will be executed. Check for new modules Select to check for new modules. 2 Configure the following settings: Setting Description Day From the drop-down list. Check for license upgrades Select to discover and install license upgrades.Smoothwall Advanced Firewall Administrator’s Guide To create a schedule of tasks: 1 Navigate to the System > Maintenance > Scheduler page. Hour From the drop-down list. Download updates Select to download available updates. select the time of day at which the tasks will be executed.

The use of SSH keys requires Advanced Firewall to generate a key pair which it will use to encrypt all file transfers sent to the SSH server. 4 In the Remote archive destinations area. 2 In the Remote archive destinations area. 6 Repeat the steps above to make other destinations available. 3 Click Save. Scheduling Remote Archiving Scheduled remote archiving uses SSH keys to allow Advanced Firewall to securely copy files to a remote SSH server without the need for passwords. Remote path Enter the path where archives are to be stored on the remote SSH server. enter the following information: Setting Description Name Enter a name to identify this destination. click Export Public Backup Key.Managing Your Advanced Firewall Scheduling Setting Description Prune archives Options here enable you to schedule archive pruning if you require it. Username Specify the user name of the account on the SSH server that will be used. Select one of the following options: Don’t prune – This is the default option. Transfer Speed Limit Specify the maximum transfer speed when automatic archiving occurs. To schedule remote archiving: 1 Navigate to the System > Maintenance > Scheduler page. Over 2 months – Select this option to prune archives that are older than two months. for example: /home/mypath/ If left blank. 3 Install the public key on the remote SSH server – for details on how to do this. Over 3 months – Select this option to prune archives that are older than three months. Over a month – Select this option to prune archives that are older than one month. The SSH server must be configured to accept connections from Advanced Firewall in this manner – it requires the public half of the key pair to be installed. Advanced Firewall uses the default home directory of the specified remote user. Port Number Set the port number used to access the SSH server (normally port 22). This control is useful for preventing the automatic remote archiving system adversely affecting the performance of other network traffic. 5 Click Add. 266 . please consult the administrator's guide of the SSH server in use. Server Set the IP address of the SSH server. Comment Enter a description of the destination. archives are never pruned. For additional security it is recommended that this user has no additional privileges and is only allowed write access to the specified Remote path.

Hour The hour of the day to carry out the archive. Delay action for Select to shut down or reboot after a specified length of time. select the destination or task and click Edit or Remove. Comment Enter a description of the archive. after a specified delay or at a predetermined time.Smoothwall Advanced Firewall Administrator’s Guide 7 In the Remote archival area. Shutting down and Rebooting Advanced Firewall can be shutdown or restarted immediately. enter the following information: Setting Description Day The day of the week to carry out the archive. 2 Configure the following settings: Setting Description Immediately Select to shut down or reboot immediately. Enabled Select to enable the archive. 8 Click Add. Archive destination From the drop-down list. From the drop-down menu. To shut down or reboot: 1 Browse to the System > Maintenance > Shutdown page. 267 . Archive profile From the drop-down list. select an archive profile as configured on the archives page. 9 Repeat the steps above to configure other archives for scheduled remote archive. Note: A local copy of the archive is also created and stored. select a destination as configured in the Remote archive destinations area. Editing Schedules To edit a schedule: 1 In the appropriate area. select the length of time.

To configure the user interface: 1 Browse to the System > Preferences > User interface page. 3 268 System control page From the Report to show drop-down list. Dashboard sections Determines what. information is displayed in the System Services area on the Dashboard. select the hour and minute at which to shut down or reboot. The main changes that can be made are the method of displaying errors and the drop-down list navigation system. select the report you want displayed on the Dashboard. time settings and a web proxy if your ISP requires you use one. 2 Configure the following settings: Setting Description Host information In the description field. This will be displayed in the title bar of the browser window.Managing Your Advanced Firewall Setting System Preferences 3 Setting Description At the following time Select to shut down or reboot at a specified length of time. enter a description to identify Advanced Firewall. From the drop-down menu. if any. . depending on how you prefer working. Click Reboot to reboot at the specified time. or click Shutdown to shut down at the specified time Setting System Preferences The following sections discuss how to configure the user interface. Configuring the User Interface Advanced Firewall can be customized in different ways. Click Save. It is also possible to alter the system's description.

allowing network wide synchronization of system clocks. date and time settings can be specified manually or automatically retrieved from a local or external Network Time Protocol (NTP) server. 3 Select Save time to RTC to ensure that the time is written back to the system's hardware clock (the Real-Time Clock). Time and date Network time retrieval To manually set the time and date: 1 Select Set and use the drop-down lists to set the time and date. To automatically retrieve time settings: 1 Select Enabled in the Network time retrieval area. Advanced Firewall can also act as an NTP server itself. 269 . To set the time: 1 Navigate to the System > Preferences > Time page. 2 Choose the time retrieval frequency by selecting an interval from the Interval drop-down list. typically located on the Internet.Smoothwall Advanced Firewall Administrator’s Guide Setting Time Advanced Firewall's time zone. select the appropriate time zone. 2 Configure the following settings: Setting Description Timezone From the drop-down list. 4 Choose one of the following network retrieval methods: Multiple random public servers – select to set the time as the average time retrieved from five random time servers Selected single public server –select from the drop-down list a public time server to use to set the time User defined single public or local server – Enter the address of a specific local or external time server.

To configure registration options: 1 Navigate to the System > Preferences > Registration options page. interfaces To synchronize the network time service: 3 1 Enable network time retrieval. 2 Configure the following settings: Setting Description Server – Enter the hostname or IP address of the proxy server. Click Save. Upstream registration Port – Enter the port number to use. 2 Select each internal network interface that the network time service should be available from. Password – Enter the password provided by your ISP.Managing Your Advanced Firewall Setting System Preferences Setting Description Network Advanced Firewall can be used to synchronize the system clocks of local network time service hosts by providing a time service. Note: The upstream proxy has no bearing on Advanced Firewall proxy services. 270 . and optionally. Configuring Registration Options Advanced Firewall enables you to use an upstream registration proxy if your ISP requires you to use one. proxy Username – Enter the username provided by your ISP. supply information about the status of your system and web filtering statistics.

send registration and/or filtering information. passwords or sensitive information are sent and any potentially identifying data is summarized before sending. 2 Enter a new value in the Hostname field and click Save. subscription and add-on modules to Smoothwall. 271 . Provide filtering feedback information 3 When enabled. Click Save. the following information is also sent: • Enabled status for optional services • The number of configured interfaces and whether they are internal or external • Authentication service settings and the LDAP server type • Guardian transparent mode and authentication service settings mode • Manufacturer name and product name – from dmidecode • Main board manufacturer and main board product name – from dmidecode. Advanced Firewall registration sends information about licences. Advanced Firewall will periodically send information about web filtering accuracy and a list of the domains of any web sites which could not be classified.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Extended When registering. Configuring the Hostname You can configure Advanced Firewall’s hostname. To change the hostname: 1 Browse to the System > Preferences > Hostname page. Advanced Firewall starts to use the configured upstream proxy and. Smoothwall will take every available measure to ensure data cannot be associated with your organization and no personal information is ever sent. updating and/or installing add-on modules. a reboot is required before the HTTPS server will use the hostname in its Common Name field. A hostname should usually include the name of the domain that it is within. Note: After setting the hostname. if enabled. Note: No usernames. information When this option is enabled and depending on which add-on modules are installed.

external access and account settings.Managing Your Advanced Firewall Configuring Administration and Access Settings Configuring Administration and Access Settings The following sections discuss administration. To access Advanced Firewall via remote SSH. and not some third party web page. administration requests are only processed if the referral URL contains the local IP address. Referral Checking In order to ensure that configuration requests from the web interface originate from a logged in administrator. Note: Terminal access to Advanced Firewall uses the non-standard port 222. the local hostname. the following criteria must be met: • The host must be from a valid network zone • The host must be from a valid source IP • The SSH service must be enabled • Admin access must be set to enabled • The setup or root username and password must be known. or the external IP address where applicable. When enabled. To permit access to the console via SSH: 1 Navigate to the System > Administration > Admin options page. 272 . you can enable remote access referral checking. 2 Select SSH and click Save. Configuring Admin Access Options You can enable and disable remote access to Advanced Firewall’s console via Secure Shell (SSH) and configure remote access referral checking.

The default external access rule allows administrators to access and configure Advanced Firewall from any source IP that can route to the system's first (default) network interface.Smoothwall Advanced Firewall Administrator’s Guide If the referral is not from a Advanced Firewall page. 273 . networks and host systems can be used to administer Advanced Firewall. This default rule allows administrators to access any of the following admin services: • SSH admin – Access to the system console using port 222. • HTTPS admin – Access to the web-based interface on port 441. 2 Select Allow admin access only from valid referral URLs in the Remote Access area. Note: This function prevents Advanced Firewall from being accessed remotely via a DNS or a Dynamic DNS address. 3 Click Save. select the interface that access is permitted from. see Configuring Admin Access Options on page 272. the referral URL check must be disabled. To enable external access: 1 Browse to the System > Administration > External access page. Configuring External Access External access rules are used to determine which interfaces. To enable referral checking: 1 Navigate to the System > Administration > Admin access page. To remotely manage an Advanced Firewall system via a DNS or a Dynamic DNS address. services. the request is ignored and reported in the general Smoothwall log file. 2 Configure the following settings: Setting Description Interface From the drop-down list. Requires the SSH access to be enabled. • HTTP admin – Access to the web-based interface on port 81.

Passwords are case sensitive and must be at least six characters long.10.Managing Your Advanced Firewall Configuring Administration and Access Settings Setting Description Source IP. it provides access to the default internal network. for example.255.0/24. For a range of hosts. 192. use Edit and Removes in the Current rules area. enter an IP address range.168. or network Specify individual hosts. 3 Service Select the permitted access method. ranges of hosts or subnet ranges of hosts that are permitted to use admin access.0 or 192. Note: Do not remove the default external access rule.168. To manage accounts: 1 Navigate to the System > Administration > Administrative users page.168. enter a subnet range. For a particular subnet of hosts. Enabled Select to activate access.10. The access rule is added to the Current rules table. . Comment Enter a description for the access rule. Administrative User Settings Advanced Firewall supports different types of administrative accounts. If no value is entered.168. 192. any source IP can access the system. Click Add. for example.50. 2 Configure the following settings: 274 Setting Description Username Enter a name for the user account.255.1192. Password Enter a password.0/255.10. Editing and Removing External Access Rules To edit or remove access rules.10.

Log – Permission to view the system log files. For information on tenants and directories. Managing Outbound Traffic and Services on page 72. select the user and click Edit. Operator – Permission to shutdown or reboot the system. see Chapter 7. 2 In the Current users area. Rule editor user – Permission to edit networking outgoing policies ports and external services. For more information. 4 Click Add to activate the changes. Configuring Directories on page 195. Each tenant has its own directory server(s) and users. 3 Enter and confirm the new password in the Password and Again fields.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Again Re-enter the password to confirm it. see Chapter 10. Reporting system – Permission to access the reporting system. 275 . Managing Tenants Note: To add tenants. connections coming from addresses not associated with a tenant will be unable to authenticate. Advanced Firewall’s multi-tenancy functionality enables you to define client-organizations – known as tenants – which can access and use Advanced Firewall services. SMTP quarantine – Permission to access and manage the SMTP quarantine pages. you must have the correct Advanced Firewall license type. Changing a User's Password To set or edit a user's password: 1 Browse to the System > Administration Administrative users page. Adding a Tenant Note: When you add tenants to Advanced Firewall. Contact your Smoothwall representative for more information. Administrator – Full permission to access and configure Advanced Firewall. 3 Click Add to add the account. Temp ban – Permission to access and change temporary ban status. Permissions Select the account permissions you want to apply to the account. Portal User – Permission to access the user portal pages. Multi-tenancy enables Advanced Firewall to apply network permissions to users whose usernames are not unique. Realtime logs – Permission to view realtime logs.

click Delete. 3 In the Add new tenant dialog box. Editing a Tenant To edit a tenant: 1 On the System > Administration > Tenants page. 2 Click Add new tenant. Advanced Firewall deletes the tenant. 3 Click Save changes. Deleting a Tenant To delete a tenant: 1 On the System > Administration > Tenants page. Hardware The following sections discuss how to configure UPS devices. IP address range Enter the tenant’s IP address. configure the following settings: Setting Description Name Enter a name to identify the tenant. 276 . 5 Repeat the steps above for any other tenants you want to add. See Adding a Tenant on page 275 for information on the settings available. Note: An address can only be used by a single tenant. 4 Click Add. Advanced Firewall applies the changes. point to the tenant and click Delete. 2 In the Edit tenant dialog box.Managing Your Advanced Firewall Hardware To add a tenant: 1 Browse to the System > Administration > Tenants page. Tenant addresses cannot overlap. point to the tenant and click Edit. 2 When prompted. make the changes you require. modems and firmware settings. subnet or range. Advanced Firewall adds the tenant.

2 Connect the UPS device to Advanced Firewall. 3 Click Save changes. Delay before shut down – Enter how long in minutes to wait before shutting down Advanced Firewall. UPS Connection Prerequisites Before you start configuring Advanced Firewall to use a UPS device: 1 Follow the documentation delivered with your UPS device to prepare it for use. a Advanced Firewall connected to a UPS device should shut down. When all remaining UPS Select to shut down Advanced Firewall when all currently connected are at low battery UPS devices are at low battery levels. Once rebooted. 2 Select when Advanced Firewall should shut down: Setting Description Never Select to never shut down Advanced Firewall. Advanced Firewall applies the shut down condition. 3 On the System > Maintenance > Shutdown page. After a set time of being Select to specify how long to wait before shutting down Advanced on battery Firewall when on running on UPS battery. Configuring UPS Devices UPS devices can be configured to use the following types of connections: 277 . if ever. Configuring the Global Shut Down Condition The global shut down condition determines when. reboot immediately.Smoothwall Advanced Firewall Administrator’s Guide Managing UPS Devices Uninterruptible Power Supply (UPS) device(s) physically connected to Advanced Firewall provide emergency power to Advanced Firewall if the mains power supply fails. To configure the global shut down condition: 1 Browse to the System > Hardware > UPS page. you are ready to start configuring the UPS device.

see Chapter 12. for more information. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. select the UPS device’s manufacturer and model. in the Connected UPS area. . see Configuring a UPS Device with an HTTP Connection on page 279. Enabling Alerts on page 229. in the Connected UPS area. configure the following settings: Setting Description Name Enter a name for the UPS device. UPS connection Select SNMP. For more information. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. for more information. for more information. IP address Enter the IP address that the UPS device will use. in the Connected UPS area. UPS connection Select USB. click Add new UPS.Managing Your Advanced Firewall Hardware • USB – connects to Advanced Firewall via a USB connection. select the port the USP device uses. see Configuring a UPS Device with an SNMP Connection on page 278 • SNMP – connects to Advanced Firewall via an HTTP connection. Advanced Firewall also makes information about UPS devices available on the System > Central management > Overview page. Configuring a UPS Device with an SNMP Connection To configure an SNMP connection: 1 278 On the System > Hardware > UPS page. In the Add new UPS dialog box. configure the following settings: Setting Description Name Enter a name for the UPS device. configure the following settings: Setting Description Name Enter a name for the UPS device. Port From the drop-down list. click Add new UPS. see Configuring a UPS Device with a Serial Connection on page 278 • SNMP – connects to Advanced Firewall via an SNMP connection. SNMP community Enter the UPS device’s SNMP community string. Configuring a UPS Device with a Serial Connection To configure a serial connection: 1 2 On the System > Hardware > UPS page. Manufacturer From the drop-down lists. see Chapter 14. Configuring a UPS Device with a USB Connection To configure a USB connection: 1 2 On the System > Hardware > UPS page. In the Add new UPS dialog box. for more information. see Configuring a UPS Device with a USB Connection on page 278 • Serial – connects to Advanced Firewall via a serial connection. It is also possible to configure an alert which is triggered when power switches to and from mains supply. Click Add. Accessing the Node Details Page on page 298. In the Add new UPS dialog box. Click Add. click Add new UPS. For more information. UPS connection Select Serial.

point to the device you want to delete and click Delete. 3 Click Save changes. Contact an authorized Smoothwall partner or visit www. enter the password to be used to connect the device to Advanced Firewall. Click Add. Editing UPS Devices To edit a UPS device’s settings: 1 On the System > Hardware > UPS page. re-enter the password to be used to connect the device to Advanced Firewall. How does it work? When configured and enabled.smoothwall. Advanced Firewall deletes the device and removes it from the list in the Connected UPS area. IP address Enter the IP address that the UPS device will use. click Delete to confirm that you want to delete the device. Managing Hardware Failover Advanced Firewall’s hardware failover enables you to configure a failover Advanced Firewall system which. click Add new UPS. the failover Advanced Firewall runs in a standby mode monitoring the master Advanced Firewall for a heartbeat communication. configure the following settings: Setting Description Name Enter a name for the UPS device. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. provides all the protection and services your master Advanced Firewall usually provides. enter the user name to be used to connect the device to Advanced Firewall. 2 In the Edit UPS dialog box. Username If required. Password If required. Configuring a UPS Device with an HTTP Connection To configure an HTTP connection: 1 2 On the System > Hardware > UPS page. Deleting UPS Devices To delete a UPS device: 1 On the System > Hardware > UPS page. Heartbeat is the name of a suite of 279 . in the event of hardware failure.Smoothwall Advanced Firewall Administrator’s Guide 2 Click Add. point to the device you want to edit and click Edit. Confirm If required. In the Add new UPS dialog box.net for more information. See Configuring UPS Devices on page 277 for information on the settings available. make the changes required. Advanced Firewall changes the settings and lists the device in the Connected UPS area. Note: Hardware failover is not included as standard with Advanced Firewall – it must be licensed separately. in the Connected UPS area. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. 2 When prompted. UPS connection Select HTTP.

Managing Your Advanced Firewall Managing Hardware Failover services and configuration options that enable two identical Advanced Firewall systems to be configured to provide hardware failover. specifying a network interface for the heartbeat and configuring and generating a failover archive to deploy on the failover unit • On the failover unit. Note: Settings are copied intermittently and it is theoretically possible that the failover unit will be a few minutes behind configuration changes made to the master. such a heavily loaded master. This stage is designed principally to cope with intermittent failures within the communication system. Configuring Hardware Failover Configuring hardware failover entails: • On the master. be it minutes. This will occur somewhere between 0 seconds and the keep-alive time specified when configuring failover. Prerequisites The following must be in place for hardware failover to work: • A private network consisting of only two Advanced Firewall systems connected via their heartbeat interfaces preferably using a crossover cable • The master and failover unit should both use the same types of hard disk drives. The master periodically copies settings to the failover unit to ensure that the failover unit can provide a fully configured service if the master fails. and above all the same type and number of network interface cards • The failover unit must be plugged into all the switches the master is plugged into • SSH must be enabled on the master. Once the dead time has expired. days or weeks later. assuming that autofailback is enabled. It remains in this mode for the length of dead time you have configured. installing Advanced Firewall and deploying the failover archive. see Configuring Admin Access Options on page 272 for more information. When the master starts to respond again. 280 . the failover unit will essentially provide a drop-in replacement and the transition will generally go unnoticed. The failover unit then enters a more responsive mode where it monitors the master for its revival. de-activates its configuration and services and returns to standby mode. it stops responding to the failover unit’s heartbeat and the failover unit therefore determines that the primary system is no longer available. Since part of this information includes the IP addresses for each of the master interfaces. the failover unit hands over control to the master. If the master fails. RAM. the failover unit awakens from its standby mode and begins reinstating the settings and services which allow it to take over operations from the master.

3 In the Edit interface dialog box. Use as Select Heartbeat interface. It is critically important that this network is not congested and suffers as little latency as is possible. For these reasons. configure the following settings: Setting Description Name Accept the default name or enter a custom name. Note: The master and failover unit systems are connected via their heartbeat interfaces on a private network. Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat interface is on could fail. 281 . we strongly recommend that this connection be a crossover cable. 2 Point to the interface to be used by the hardware failover master and failover unit systems to communicate with each other and click Edit.Smoothwall Advanced Firewall Administrator’s Guide Configuring the Master To configure the master Advanced Firewall: 1 Navigate to the Networking > Interfaces > Interfaces page.

The failover unit will hand over control to the master. MTU Optionally. 4 Click Save changes. enter a spoof MAC if required. Master heartbeat IP Enter an IP address for the master. consult the documentation supplied by your ISP and modem supplier. The default is 1 second. Note: We recommend that this network be private and only used by the master and failover units. we recommend a very short interval which is undetectable in terms of system performance. 6 Configure the following settings: Setting Description Enabled Select to enable failover. Slave heartbeat IP Enter an IP address for the failover unit. deactivate its configuration and services and return to standby status.Managing Your Advanced Firewall Managing Hardware Failover Setting Description Spoof MAC Optionally. For more information about whether MAC spoof settings are required. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. Auto failback Select if you want the failover unit to automatically hand back control to the master when the master starts to respond after a hardware failure. Note: We recommend that this network be private and only used by the master and failover units. Note: We recommend that this network be private and only used by the master and failover units. . Netmask Enter a netmask. enter the maximum transmission unit (MTU) value required in your environment. 5 Navigate to the System > Hardware > Failover page. Dead time Specify how long after the failover unit has become aware that the master is no longer responding it should wait before taking over from the master. 7 282 Click Save. In non-congested networks. Keep-alive internal Set the interval after which the master and failover unit communicate to ensure the master is still working.

The next step is to use the archive to implement the failover settings on the failover unit. However. On the following screen: 1 Select Yes and press Enter. press Enter to reboot the failover unit. SeeConfiguring the Master on page 281. you will need to install updates. To implement failover on the failover unit: 1 Install Advanced Firewall using the quick install option. 5 When prompted. 50 M bytes is an average size. The failover unit will reboot and automatically enter standby mode. The failover settings are installed. see Installing Updates on a Failover System on page 260.Smoothwall Advanced Firewall Administrator’s Guide 8 Browse to the System > Maintenance > Shutdown page. Wait a couple of minutes for the system to reboot and then log in again. Administering Failover There are no noticeable differences between administering Advanced Firewall used as a master and one which is not used as a master. 2 Select the type of media the archive is stored on and press Enter. from time to time. 3 Insert the media and press Enter. You are prompted to insert the media. Note: For information on installing updates in failover units. 283 . Note: The size of the failover unit archive varies depending on the Smoothwall modules installed. Generating a Failover Archive A failover archive contains the settings required to configure the failover unit to provide hardware failover for Advanced Firewall. See the Advanced Firewall Installation and Setup Guide for more information. Implementing Failover Settings on the Failover Unit Implementing failover on the failover unit entails running the setup program and using the restore options to apply the settings. select Immediately and click Reboot. To generate a failover archive: 1 Navigate to the System > Hardware > Failover page and configure and save the failover settings. 3 Save the archive on some suitable removable media accessible by the failover unit. 4 Select the archive and press Enter. 2 Click Generate slave setup archive. The next step is to generate the failover archive to deploy on the failover unit. There should be little or no need to administer the failover unit on a day to day basis. Advanced Firewall generates the archive and prompts you to specify where to save it.

as when in standby mode the failover unit has no effective presence on any of the local or remote networks. go to the System > Hardware > Failover page and click Enter standby mode to restore the system to normal operation. whether services and protection are being supplied by the master or the failover unit. in the example above: 192. the active Advanced Firewall system is always accessed via the usual address.cgi To access the settings on the failover unit. but the master system has become available again after corrective action has been taken you can manually failback to the master. go to the System > Hardware > Failover page and click Enter standby mode. To manually failback: 1 On the failover unit.Managing Your Advanced Firewall Configuring Modems Updates are not automatically applied in order to ensure that the failover unit can provide a known good system to failover to in case of any issues resulting from updates to the master. Operations will be transferred to the master. After a short period of time the failover unit will take over from the master. go to theSystem > Hardware > FailoverFailover page and click Enter standby mode. To test failover: 1 On the master. 2 To restore operations to the master. you can force the master to enter standby mode. When you need to access the failover unit directly you can do so using a variation of the address for master.168.168. Testing Failover In order to test failover. rebooting the master will also return it to active service and force the failover unit into standby mode.142:440/cgi-bin/admin/updates. the address would be: https://192. is the address of the master. 284 .168. to access the master's Update page the address would usually look as follows: https://192. Note: If Auto failback is enabled. when the failover unit is in active operation.72.142.142:441/cgi-bin/admin/updates. on the active system. The address used.cgi All communications with the user interface on the failover unit are via HTTPS and on port 440 instead of port 441. For example.72. Configuring Modems Advanced Firewall can store up to five modem profiles. Manual Failback In configurations where Auto failback is not enabled.72. Accessing the Failover Unit With failover implemented.

Hangup Enter the commands required to end a connection. 2 Configure the following settings: Setting Description Profiles From the drop-down list. Pulse – Select if your telephone company supports pulse dialing.Smoothwall Advanced Firewall Administrator’s Guide To configure a modem profile: 1 Browse to the System > Hardware > Modem page. Pulse dial Enter the commands required to turn pulse dialing on. Modem speaker on Select to enable audio output during the modem dialing process. Speaker off Enter the commands required to turn the speaker off. 285 . if the modem has a speaker. 3 Init Enter the commands required to initialize the modem. Click Save to save your settings and create the profile. select Empty to create a modem profile. A standard 56K modem is rate usually connected at the default 115200 rate. Tone dial Enter the commands required to turn tone dialing on. Tone – Select if your telephone company supports tone dialing. Computer to modem Select the connection speed of the modem. Speaker on Enter the commands required to turn the speaker on. Interface Select the serial port that the modem is connected to. Connect timeout Enter the amount of time in seconds to allow the modem to attempt to connect. Dialing mode Select the dialing mode. Profile name Enter a name of the modem profile.

Note: Once this process has been completed. DNS resolution is checked.o firmware update file. Components installed on your Advanced Firewall add tests to this page which. For example. the system must be rebooted before the new firmware is activated. Without this file. Note: The 330 version of this modem also requires its own firmware update to function correctly.o file to the system. Alcatel SpeedTouch USB ADSL modems will not work. 3 Use the browser's Open dialog to find and open the mgmt. 2 Click Browse adjacent to Upload file field. 4 Click Upload to upload the firmware update. Diagnostics The following sections discuss configuration tests. when run. highlight problem areas. Configuration Tests The Configuration tests page is used to ensure that your current Advanced Firewall settings are not likely to cause problems. 286 .Managing Your Advanced Firewall Installing and Uploading Firmware Installing and Uploading Firmware Advanced Firewall can upload the third-party mgmt. gateways are ping-ed and network routing is tested to make sure your current settings are not likely to cause problems. IP tools and traffic analysis. To upload and install the Alcatel firmware: 1 Navigate to the System > Hardware > Firmware upload page. diagnostics.

287 . or individually select the components you want to include in the diagnostics results. Generating Diagnostics Advanced Firewall provides diagnostics facilities. When prompted. 2 Configure the following settings: 3 Setting Description System Select All to include all system components. 2 Click Perform tests. save the results in a suitable location for review. To generate a diagnostics file: 1 Navigate to the System > Diagnostics > Diagnostics page. The results are displayed in the Details area. typically used to provide Smoothwall support engineers with complete system configuration information to aid problem solving. Click Generate.Smoothwall Advanced Firewall Administrator’s Guide To test your configuration: 1 Navigate to the System > Diagnostics > Configuration tests page. or individually select the modules you want to include in the diagnostics results. Modules Select All to include all modules.

A major use for this is to determine the source of requests appearing in the firewall or Detection System logs. 2 Select the Traceroute option from the Tool drop-down list. A greater number of hops indicates a longer (and therefore slower) connection. Using Traceroute To use Traceroute: 1 Navigate to the System > Diagnostics > IP tools page. 4 Click Run. • Traceroute Traceroute is used to reveal the routing path to Internet hosts. Whois Whois is used to display ownership information for an IP address or domain name. shown as a series of hops from one system to another. 3 Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field. This can assist in the identification of malicious hosts. The output of these commands is as it would be if the commands were run directly by the root user from the console of the Advanced Firewall system. It is of course. 288 . 2 Select the Ping option from the Tool drop-down list. The result of the ping command is displayed. Using Ping To use Ping 1 Navigate to the System > Diagnostics > IP tools page. Use it to prove that Advanced Firewall can communicate with hosts its local networks and external hosts on the Internet. The result of the traceroute command is displayed. 3 Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field. 4 Click Run. both from Advanced Firewall to computers on its local networks and to hosts located externally on the Internet. There are two IP Tools: • Ping Ping establishes that basic connectivity to a specified host can be made. more convenient to run them from this page.Managing Your Advanced Firewall Diagnostics IP Tools The IP tools page is used to check connectivity.

To analyze traffic: 1 Navigate to the System > Diagnostics > Traffic analysis page. 4 Click Generate. select the interface. 2 Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name field. including pictures sent or received on web requests. The output of Whois is as it would be if it were run directly by the root user from the console of the Advanced Firewall system. 2 From the Interface drop-down list. After the time specified has elapsed. 289 . 3 Click Run. as well as specific information on connections made. Analyzing Network Traffic The Traffic analysis page displays detailed information on what traffic is currently on the network. It is possible to view a complete transcript of TCP and UDP sessions. 3 From the Time to run for drop-down list. the traffic a breakdown of what ports and services have been used is presented.Smoothwall Advanced Firewall Administrator’s Guide To use Whois: 1 Navigate to the System > Diagnostics > Whois page. select how long to analyze the traffic.

You can also restore them to the list if required. The following sections describe how you can import new CA certificates. Reviewing CA Certificates By default.e. 2 Click Browse. Importing CA Certificates To import CA certificates: 1 Navigate to the System > Certificates > Certificate authorities page and locate the Import Certificate Authority certificate area. Advanced Firewall comes with certificates issued by well-known and trusted CAs. Advanced Firewall displays it. Advanced Firewall removes the certificate(s). To delete certificates: 1 290 On the System > Certificates > Certificate authorities page. navigate to the certificate and select it. To review the certificates: 1 Browse to the System > Certificates > Certificate authorities page. included in Advanced Firewall by default.Managing Your Advanced Firewall Managing CA Certificates Managing CA Certificates When Advanced Firewall’s instant messenger proxy and/or Guardian are configured to intercept SSL traffic. select the certificate(s) and click Delete. i. select the certificate. Deleting and Restoring Certificates You can remove built-in certificates from the list on the System > Certificates > Certificate authorities page. Advanced Firewall validates the certificates by checking them against the list of installed Certificate Authority (CA) certificates on the System > Certificates > Certificate authorities page. 3 Click the import option. Advanced Firewall imports the certificate and displays it at the bottom of the list. 2 To review a specific certificate. . Advanced Firewall displays the certificates available. click on its name. 2 From the Export format drop-down list. 3 Click your browser’s Back button to return to Advanced Firewall. It also displays which certificates are valid and which are built-in. select one of the following options: Option Description CA certificate in PEM Export the certificate in an ASCII (textual) certificate format commonly used by Microsoft operating systems. certificates must be validated. CA certificate in BIN 3 Export the certificate in a binary certificate format. Exporting CA Certificates To export certificates: 1 On the System > Certificates > Certificate authorities page. export existing CA certificates and edit the list to display a subset or all of the CA certificates available. Click Export and save the certificate on suitable medium.

see Rebooting Nodes on page 299 • Disabling nodes as required. A Smoothwall system is comprised of an instance of a Smoothwall product running as a parent node and one or more compatible Smoothwall products running as child nodes being managed by the parent node. 291 . for more information. see Scheduling and Applying Updates to One or More Nodes on page 299 • Rebooting nodes as required. see Chapter 13. Configuring and managing a Smoothwall system entails: • Configuring a parent and the nodes in the system. Pre-requirements Before you start to set up a centrally managed Smoothwall system: • Check that all the Smoothwall machines you intend to include in the system have the latest updates applied. Installing Updates on page 259 • Check that you have administrator access to all of the computers you want to include in the system • Check that there is IP access from the computer that will be a the parent node to the computers that will be child nodes in the system. for more information. see Setting up a Centrally Managed Smoothwall System on page 292 • Actively monitoring the nodes in the system.Chapter 14 Centrally Managing Smoothwall Systems In this chapter: • About centrally managing Smoothwall systems • Pre-requirements • Setting up a Smoothwall system • Managing nodes in a system. see Monitoring Node Status on page 297 • Applying updates. for more information. For more information. see Disabling Nodes on page 299. for more information. for more information. About Centrally Managing Smoothwall Systems Advanced Firewall’s central management enables you to monitor and manage nodes in a Smoothwall system.

2 Browse to the System > Central management > Local node settings page. installing the central management key and enabling SSH on child nodes • Adding child nodes to the system. To configure the parent node: 1 Log in to the instance of Advanced Firewall you want to function as the parent node.Centrally Managing Smoothwall Systems Setting up a Centrally Managed Smoothwall System Setting up a Centrally Managed Smoothwall System Setting up a centrally managed Smoothwall system entails: • Configuring the parent node in the system • Configuring child nodes settings. Configuring the Parent Node The first step when configuring a Smoothwall system is to configure the parent node in the system. This instance of Advanced Firewall becomes the parent node and can be used to centrally manage the Smoothwall system. 4 292 Click Save. 3 Configure the following settings: Setting Description Local node options Parent node – Select this option to enable central management and configure this instance of Advanced Firewall as the parent node in the Smoothwall system. .

Manage central management keys Upload central management key – Using your browser’s controls. browse to the System > Central management > Local node settings page and configure the following settings: Setting Description Local node options Child node – Select this option to configure this machine as a child node in the system. When finished. Click Save to upload the key to the child node. browse to the System > Central management > Local node settings page. reboot the child node to apply the changes. Click Save to save this setting. On the Smoothwall system you want to add as a child node. Manage central management keys 3 Central management key – Click Download to download and save the central management key in a secure. 4 On the System > Administration > Admin options page. you are ready to add them the system. Note: If you are reconfiguring a child node to be the child of a new parent. 293 . 5 Repeat step 3 and step 4 above on any other machines you want to use as child nodes. 2 Configure the following settings: Setting Description Local node options Parent node – Check that this option is selected so that you can generate a central management key for installation on child nodes. browse to and select the key.Smoothwall Advanced Firewall Administrator’s Guide Configuring Child Nodes Every child node in a Smoothwall system must have a central management key installed and SSH enabled. See Adding Child Nodes to the System on page 294 for more information. select SSH and click Save. accessible location for distribution to the child nodes in the system. To configure a child node: 1 On the system’s parent node.

294 . browse to the System > Central management > Child nodes page. 2 Click Add node and configure the following settings: Setting Description Node details Node name – Enter a unique name to identify the node. Unicode is not supported. numbers. underscores and full stops. see Importing Nodes into the System on page 295. To add child nodes manually: 1 On the parent node. IP/hostname – Enter the IP address or hostname of the child node. for more information. you are ready to add them to the system. enter a comment describing the child node. Manually Adding Child Nodes Adding child nodes manually entails entering the information for each node separately. You can add nodes: • Manually by adding each node separately. Node names may only consist of letters.Centrally Managing Smoothwall Systems Setting up a Centrally Managed Smoothwall System Adding Child Nodes to the System When you have installed the central management key and enabled SSH on all child nodes. see Manually Adding Child Nodes on page 294 • By importing node information from a CSV file. Comment – Optionally. spaces.

Importing Nodes into the System If child node information is available in a comma separated format (CSV) file. The parent node lists the child nodes and displays their current status. Disabled – Enter: no. This field is required. on. this option only applies to Advanced Firewall with Guardian3 installed. Note: If the name is the same as that of a child node already in the system. Note: Do not select this option if you want to access the child node’s logs on the child node itself.Smoothwall Advanced Firewall Administrator’s Guide Setting Description Node settings Replication profile – From the drop-down list. About the CSV File Each line in the CSV file must contain 8 fields. This field is required. Note: Do not enable this option if you want to access the child node’s logs on the child node itself.IP/hostname. A node name may consist of letters. or 1. the parent ensures that users cannot access content for longer than allowed by using different child nodes. underscores and full stops. Allow parent to monitor status – Select to enable central monitoring for the child node.Monitorstatus. Unicode is not supported. IP/hostname The IP or hostname of the node. select the replication profile to be deployed on the child node. This field is required. Allow parent to manage resources – Select to enable the parent node in the group to manage child node resources such as quotas which limit user access to web content. 5 When you have added all of the nodes. review the node details and then click Save to add the node.Comment The possible values for the fields are as follows: Field Value Name The node name.Centralresources Replicationprofile. browse to the System > Central management > Overview page. numbers.Enabled. When enabled and quotas have been used in a web filtering policy. Central logging – Select to enable central logging for the child node. The replication profile enables the sharing of system settings between nodes. spaces. see Monitoring Node Status on page 297. off. you can import it directly into the parent node.Centrallogging. For information on configuring a replication profile. or 0. 3 Select Enable node and click Confirm. For more information. 4 Repeat step 2 and step 3 for each node you want to add to the system. When prompted. the child node in the system will be overwritten. see Chapter 13. Enabled – Enter: yes. The fields must be separated by commas and ordered as follows: Name. Note: Currently. Creating an Archive on page 263. 295 . Central logging Determines if central logging is enabled or disabled.

4 Click Confirm to import the information in the file. spaces. Enabled – Enter: yes. This field is required. About Archive Profiles on page 263. 296 . For more information. on. or 0. 2 Click Import CSV. browse to the System > Central management > Child nodes page. see About the CSV File on page 295. 3 The parent node displays the contents of the file and notifies you of any errors in the file. Comment A comment. 2 Make the changes required. Enabled Determines if the node settings are enabled or disabled. browse to the file and select it. Importing Node Information The following steps explain how to import node information from a CSV file. off. Disabled – Enter: no. This field is required. or 1. Disabled – Enter: no. off. see Manually Adding Child Nodes on page 294. or 0. underscores and full stops. Enabled – Enter: yes. This field is optional. To import node information from a CSV file: 1 On the parent node. see Chapter 13. Replication profile The name of the replication profile used on the node. The parent node imports the node information and displays it. Unicode is not supported. This field is required. or 1. Note: Currently.Centrally Managing Smoothwall Systems Setting up a Centrally Managed Smoothwall System Field Value Monitor status Determines if central monitoring is enabled or disabled. locate the node you want to edit and click Edit node. or 0. This field is optional and may be empty. it is possible to edit child node settings. It may consist of letters. Click Import to import the contents of the file. see Manually Adding Child Nodes on page 294 for full information on the settings. Note: Importing settings from a CSV file will overwrite existing nodes with the same name. numbers. 3 Click Confirm. For full information on what the settings do. To edit a child node’s settings: 1 Browse to the System > Central management > Child nodes page. on. Central resources Determines if resources are managed by the parent. Editing Child Node Settings When required. Enabled – Enter: yes. on. For more information on CSV files. Disabled – Enter: no. off. or 1. review the changes and then click Save to save and implement the changes. this option only applies to Advanced Firewall with Guardian3 installed.

locate the node you want to delete and click Delete node. Managing Nodes in a Smoothwall System Managing nodes in a Smoothwall system entails: • Monitoring node status • Applying updates to nodes • Scheduling updates for application at a specific time • Rebooting nodes when necessary • Disabling nodes when necessary Monitoring Node Status The central management node overview on the parent node displays a list of all of the nodes in the Smoothwall system. click Delete to confirm the deletion. To delete a node: 1 On the System > Central management > Child nodes page. 297 . It also displays the nodes’ current status and whether updates for the nodes are available. The parent node displays current node status. browse to the System > Central management > Overview page.Smoothwall Advanced Firewall Administrator’s Guide Deleting Nodes in the System It is possible to delete nodes that are no longer required in the system. for example: Node information is contained in the following fields: Field Description Name The Name field displays the name of the node. Click on the name to log in to the node. To monitor node status: 1 On the parent node. 2 Repeat the step above for any other nodes you want to delete. When prompted.

see Accessing the Node Details Page on page 298. Critical – the node requires immediate attention. To access a node details page: 1 On the parent node. Working with Updates You can review and apply updates to a node as they become available. browse to the System > Central management > Overview page. You can also apply updates to one ore more nodes immediately or at a later date. The updates are applied to the node as specified in the previous step and the node is rebooted. 4 In the Install updates area. The following statuses are possible: OK – the node is functioning and does not require attention. To review and apply updates: 1 On the parent node. Click on the node’s status field for more information. browse to the System > Central management > Overview page. Accessing the Node Details Page It is possible to view detailed information on a node by accessing the node details page. Click Schedule update. 3 Click on the displayed headings for more information. Click on the node’s status field for more information. Click on the Updates text to display detailed information on the node. click Schedule update. 4 Click Refresh node to refresh the information displayed. select one of the following options: 5 298 Option Description Now Select to apply the updates to the node immediately. select when you want the updates applied to the node. Click on the Status text to display detailed information on the node. Warning – the node does not require immediate attention but should be checked for problems. For more information. 2 Click the Updates tab and then click the Status field of the node. The Schedule node update page is displayed. Updates The Updates field enables you to schedule the application of available updates. 2 Locate the node you want more information on and click on its Status text. Later From the drop-down list. Reviewing and Applying Available Updates to a Node You can review and apply updates to a node as they become available. 3 Click on the Updates line to review detailed information about the updates available.Centrally Managing Smoothwall Systems Managing Nodes in a Smoothwall System Field Description Status The Status field displays the current state of the node. . For more information. see Scheduling and Applying Updates to One or More Nodes on page 299. The node details are displayed. To apply the updates to the node. Advanced Firewall displays the node details page. 5 Click Reboot node to reboot the node.

browse to the System > Central management > Overview page. The node is rebooted. The Schedule node update page is displayed. Disabling Nodes Locally You may need to work on a child node in a system and. You can do this by disabling the child node locally. e. 2 Locate and select the node(s) that require updates and click Schedule update. To reboot a child node: 1 On the parent node. select when you want to reboot the node. To clear scheduled updates: 1 On the System > Central management > Overview page or the node details page. want to stop replication settings from being applied by the parent. The updates are applied to the node(s) as specified in the previous step and the node(s) are rebooted. 2 Advanced Firewall displays the updates that are currently scheduled. 2 Locate the node you want to reboot and click on the Status text. under Updates.Smoothwall Advanced Firewall Administrator’s Guide Scheduling and Applying Updates to One or More Nodes You can apply updates to one or more nodes immediately or schedule them for application later. Rebooting Nodes When required. To disable a node locally: 1 On the node you want to disable. Later From the drop-down list. 3 In the Install updates area. Click Schedule update. you can reboot a child node from the system’s parent node. click Clear schedule. browse to the System > Central management > Local node settings page. 3 Click Reboot node. select one of the following options: 4 Option Description Now Select to apply the update(s) to the node(s) immediately. In the Reboot node area. browse to the System > Central management > Overview page.g. To apply updates: 1 On the parent node. Clearing Schedule Updates It is possible to clear any scheduled updates. Click Clear schedule to clear the updates. Later From the drop-down list. select when you want the update(s) applied to the node(s). 299 . The node details are displayed. Disabling Nodes It is possible to disable nodes locally and system-wide. select one of the following options: 4 Option Description Now Select to reboot the node immediately. Click Schedule reboot. The Schedule node reboot page opens.

Disabling Nodes System-wide You may need to disable a child node in a system. in the case of hardware failure. To disable a node system-wide: 1 On the parent node. select Disable and click Save. select Disable and click Save. You can do this by disabling the child node system-wide. 300 . 2 Locate the node you want to disable area. browse to the System > Central management > Child nodes page.Centrally Managing Smoothwall Systems Managing Nodes in a Smoothwall System 2 In the Local node options area. 3 Repeat the steps above for any other nodes in the system that you want to disable system-wide. Note: On the parent node.g. e. 3 Repeat the step above for any other nodes in the system that you want to disable. on the System > Central management > Overview page. nodes that have been disabled locally will be listed as Node uncontactable.

e.e. usernames and passwords.e. Advanced Firewall must be able to verify the identity credentials. the user's identity status will be set to 'Unauthenticated'. The Core Authentication Mechanism This is a special type of authentication mechanism that uses the first interaction method exclusively.g. • Identity confirmation – provide details of known authenticated users at a particular IP address. a matching username and password cannot be found in the local user database. About Authentication Mechanisms All authentication-enabled services use the authentication system to discover what users are accessing them. an authentication-enabled service can enforce customized permissions and restrictions. • Identity verification – authenticate users by checking supplied identity credentials. If the credentials cannot be verified by the authentication system. Authentication-enabled services can interact with the authentication system in the following ways: • Passive interrogation of whether there is an already-authenticated user at a particular IP address. supplied by network users. for onward authentication. Verifying User Identity Credentials In order to authenticate users. against known user profile information. usernames and passwords. Once a particular user is known.Appendix A Authentication In this appendix: • Authentication methods • WPA enterprise and Windows 8. access to authentication-enabled services. it only ever asks the authentication system whether there is a known user at a particular IP 301 . The means by which these two types of interactions are combined and implemented defines a particular named authentication mechanism. i. Overview Advanced Firewall's authentication system enables the identity of internal network users to be verified. A user that is authenticated can be described as being logged in. and if so their details • Active provision of user-supplied identity credentials. Credentials are verified against the authentication system's local user database. Network users must provide their identity credentials when using an authentication-enabled service for the first time. such that service permissions and restrictions can be dynamically applied according to a user's group membership. i. or sometimes no. Unauthenticated users are usually granted limited.

the authentication mechanism will always be 'Core authentication'. This is not the correct way to configure DNS servers on any client. appropriate permissions and restrictions can be enforced by the requesting service. Time-out values that are too low may adversely affect system performance. Other Authentication Mechanisms All other authentication mechanisms use a combination of the previously discussed interactions.Advanced Firewall and DNS address. Time-out does not occur if Advanced Firewall can determine that the same user is still active – for example. all authentication-enabled services must use some kind of authentication mechanism to interact with the authentication system. A Common DNS Pitfall Often Advanced Firewall is configured so that an internal DNS server is configured as the primary DNS server and an external DNS server configured as the secondary DNS server. Choosing an Authentication Mechanism As discussed in the preceding sections. resulting in failed login attempts. Such mechanisms usually interrogate the authentication system to determine if the user at the requesting IP has already been authenticated. External DNS servers are specified when setting up an Advanced Firewall connectivity profile. be configured to use Advanced Firewall as its DNS forwarder. Advanced Firewall can be configured to use an internal DNS server and the internal DNS server can. If the user has been authenticated. Internal DNS servers are specified using Advanced Firewall’s setup program. Advanced Firewall and DNS Advanced Firewall’s authentication service uses internal DNS servers for name lookups. Advanced Firewall’s DNS proxy server uses external DNS servers for name lookups. the requesting service pro-actively provides end-user identity credentials to the authentication system. the user's authenticated status will be invalidated. In this way. Some authentication-enabled services offer no choice of mechanism used – in such cases. However. it follows that such authentication mechanisms must also provide an appropriate means of collecting end-user identity credentials. DNS is a system that was designed to be able to respond to any request by redirecting questions to the DNS servers responsible for the various registered domains on the public Internet. if the original user fails to pro-actively log-out. as all DNS servers will have access to the same 302 . Lower time-out values increase the frequency of re-authentication requests. the user's status is returned by the authentication system as 'Unauthenticated'. Thus. if Advanced Firewall sees no activity from a particular user for the length of time specified by the time-out period. However. by seeing continued web browsing from the same user. if the user is currently unauthenticated. However. longer time-outs increase the risk of a new user at the same IP address being granted inappropriate rights. About the Login Time-out The login time-out is the length of time that a user's authenticated status will last once they are authenticated. If the user has not been authenticated by any other authentication mechanism. A value of 10 minutes is effective for most networks. This means the client assumes that it does not matter which DNS server it uses.e. The login time-out affects the load on the local system. the second type of interaction occurs – i. in turn. for onward authentication.

With the proliferation of private networks and internal DNS zones. a specified group search root can help in narrowing the scope of where to search for groups. where the second OU is in the sub-domain sub1. Active Directory The following sections usernames and group membership which must be configured correctly in order to successfully implement Active Directory-based authentication. A DNS client will behave in the following way when looking up a host: • If a reply of “host not found” is received. a directory with 5000 users and 2500 groups. but if groups are distributed in multiple OUs. will not work reliably. 303 .local • An old style Windows NT 4 username. which takes the form of user@domain. Remember that multiple groups can be mapped to the same Advanced Firewall permissions group.ou=users. the client will NOT ask other DNS servers • If the DNS is not answering.dc=local Additional group search root: ou=networkgroups. Consider.dc=local Group search root: ou=guardiangroups. Setting the group search root to the top level of the directory would result in an Include groups page with 2500 entries. one group search root may not be enough. In the groups search root. a search through the entire directory can take a long time and make the Advanced Firewall Include groups page unwieldy to manage. where the groups to be mapped are located. the client will try to ask another DNS server • The client will ask randomly between configured DNS servers Taking the above conditions into account. This would probably take a long time to load and be hard to get an overview of.dc=domain. The administrator of the Active Directory domain has 2 OUs. When a Windows 2000+ domain has been migrated from a legacy Windows NT4 domain.Smoothwall Advanced Firewall Administrator’s Guide information.dc=local The above example is for a multi domain Active Directory installation. the Windows NT 4 style usernames are not automatically duplicated to Windows 2000+ usernames. the administrator enters the path for the primary OU and in the additional groups search. or at least. which has no domain attached to it. When dealing with large directories. for example. the second OU is entered: User search root: dc=domain. The internal DNS server that holds the Active Directory information needs to be configured so it can resolve external hostnames. it is clear that a DNS configuration that has an internal DNS and an external DNS server in the configuration will not work. Active Directory Username Types A user account on a Windows 2000+ server will have 2 types of usernames: • A Windows 2000+ username. Working with Large Directories The Additional Group search roots option enables you to specify several OUs in which to search for groups. like Advanced Firewall’s DNS proxy server. Normally.dc=domain. The easiest way to do this is to configure the DNS server to use a forwarder. this no longer is the case.dc=sub1.

• Double check you are logged on with a domain account • When exporting your own keytabs: • Make sure the keytab contains keys with the same type of cryptography as that used by the client • The “HTTP” in the service principal name (SPN) must be in uppercase • The keytab should contain SPNs containing the short and fully qualified forms of each hostname. the server lookup user account needs to be a member of the Pre-Windows 2000 Compatible Access group. Kerberos Pre-requisites and Limitations The following are pre-requisites and known limitations when using Kerberos as an authentication method: • Forward and reverse DNS must be working • All clocks must be in sync. a Windows 2000+ username needs to be present. Accounts and NTLM Identification When using NTLM identification on an Active Directory server that has been set up with no preWindows 2000 access permissions. About Kerberos The following sections document Kerberos pre-requisites and list some points to try if troubleshooting. see Kerberos Pre-requisites and Limitations on page 304 • Try another browser for fault-finding • In Safari. • Check if the user logged on before Advanced Firewall joined the domain? Try logging off then on again.About Kerberos In order for Advanced Firewall authentication to be able to successfully look up and authenticate Windows users. 304 . try the fully qualified domain name (FQDN) if the short form does not work • Check if the user logged on before the keytab was created? Try logging off then on again. This group is normally found in the built-in OU in the Active Directory Users and Groups snap-in. Troubleshooting Check the following when troubleshooting a service that uses Kerberos: • Make sure all the prerequisites have been met. More than 5 minutes clock drift will cause authentication to fail • Internet E6 will not work in non-transparent mode.

A profile must be created manually. and select Trusted Root Certificate Authorities. it is not possible to connect a Windows 7 system to a WPA-Enterprise/802.1X authenticated wireless network under Windows 7 without the use of registry hacks. download the certificate file. 2 Windows will present the certificate details for inspection. click Browse. 2 Click Set up a new connection or network. and click OK. 1 Access Network and Sharing Center via Control Panel.Smoothwall Advanced Firewall Administrator’s Guide Connecting a Windows 7 System to a WPAEnterprise/802. 3 In the window that appears.g. 305 . USB flash drive or CDR media. 6 Deselect Do not prompt user to authorize new servers or trusted certification authorities.1X wireless network without certificate validation.1X Wireless Network Microsoft’s Windows 7 operating system is very strict on how 802. select Manually connect to a wireless network. 5 Select WPA2-Enterprise as the security type. e. 7 Leave Security Key blank. 9 Click OK.. 4 Enter the network name (SSID) into the Network Name box. 2 Ensure Microsoft: Protected EAP (PEAP) is selected in the drop-down list. Without the use of registry hacks. 7 Ensure Secured password (EAP-MSCHAPv2) is selected under Select Authentication Method. and change the drop-down option to User authentication. 8 If your wireless network credentials do not match your Windows log on credentials. Import the CA certificate on the device: 1 Double-click on the Certificate file. then click Settings.1X/EAP wireless networks are connected. The following describes a process of setting up an 802. 8 Select Start this connection automatically to connect as the network becomes available. 11 Ensure Specify authentication mode is selected.. click Configure and deselect Automatically use my Windows logon name and password. Prepare the CA certificate: 1 On the Advanced Firewall WPA Enterprise. 10 Click on Advanced settings. 6 Select AES as the encryption type. 2 Copy the certificate file onto a suitable medium for transfer to the device. 3 Ensure Validate server certificate is selected. 9 Click Next. 5 Ensure the imported root CA is selected in the list under Trusted Root Certification Authorities. 3 When asked where to install the certificate. 10 Click Change Connecting Settings. Modify security settings of network profile: 1 Select the Security tab. button. Create a wireless network profile: It is not possible to join the wireless network from the notification area icon as Windows defaults to incorrect settings for the network. 4 Ensure Connect to these servers is not selected. Click the Install Certificate.

2 Copy this xml file and the root certificate presented by Advanced Firewall to the target machine. Windows 7 802. You should now be connected to the wireless network.1X on the first machine. Connect to the wireless network 1 Click on the wireless network icon in the notification area. enter your username and password.xml” Login with your user credentials. 4 Open up the command prompt. log in to the command prompt and export the wireless profile. 3 Install the certificate to the Trusted Root Certificate Authorities. using: netsh wlan export profile name=”SSID” This exports the details to an xml file. 13 Click OK.1X Profile Migration 1 After following the above instructions on how to setup 802.Connecting a Windows 7 System to a WPA-Enterprise/802. If you did not deselect Automatically use my Windows logon name and password you will not be prompted. navigate to the location of the xml file and enter: 5 netsh wlan add profile filename=”wirelessprofilename. 3 When prompted. 306 .1X Wireless Network 12 Click OK. 2 From the wireless network list. select the wireless network required and click Connect.

A template is a series of report sections and their configuration which contains instructions for extracting and manipulating data from Advanced Firewall and producing a report by filling in the template’s sections. It has shape. it shows how to assemble the blocks together to produce the report which is analogous to the finished model. those of templates and reports. The act of building it takes the template and finds each of the individual blocks.Appendix B Understanding Templates and Reports In this chapter: • How to use custom reporting Programmable Drill-Down Looping Engine The Advanced Firewall reporting system is divided into two conceptually different ideas. retrieving data as appropriate and assembling it as the template dictates. These can be connected to each other where the input and output types are equivalent in the way that jigsaw pieces can be connected if their input and output facets match. 307 . A template is as described above nothing more than a structured series of sections. color and provides some information however its power is better expressed when used in combination with other blocks to build more complicated and more interesting shapes. A template in that metaphor is analogous to the instruction sheet for the building blocks. A report section can be considered to be similar to a building block from a construction kit or a piece from a jigsaw puzzle. To this extent a section has a variety of inputs and a number of outputs.

Programmable Drill-Down Looping Engine Example Report Template Example Report Report Templates. Once a report template has been created it may be edited (including changing its name) via the edit this report link under the report icon on the reports page. The description of how to do this is covered elsewhere however there are a few details which allow for some level of flexibility. Advanced Firewall is the warehouse full of bins of pieces and a report is the final boxed model ready for building. Creation and Editing Creating report templates is done via the Advanced Firewall custom page. The difference between the two is perhaps moot for the most part. Viewing Reports. the report template used to create it and the data which was extracted and interpreted along with its interpretation. Changes will only be saved to the desired report template when the create report option is used. When editing a report template. While editing a report template is a useful feature. what it has been doing historically and where their users may have been attempting things with nefarious end. In the building block metaphor a report template is the instructions alone. remove and manipulate the sections which it contains. 308 . for this purpose the edit a copy of this report option should be used. there are occasions when it would be better to simply alter or manipulate an exact copy of a report template. which gives rise to the ability to add. Exporting and Drill Down Reporting The term reports has been made deliberately ambiguous and is now used to describe both a report and what was formerly known as a template. or a copy of a report template the preview button may be used without making changes to the existing template. Note again that the Edit report option on the Report display page (seen while viewing a rendered report) is analogous to the edit a copy of this report option seen from the reports page. It has the instructions and the pieces but is still not quite ready for a user to play with. each will eventually show them a set of details about what their system is doing. the distinction between what is a report and what is a report template is unimportant. however the key difference is that a report is a combination of several things. Each report template can be assigned an icon. with the terms report and report template are used in this appendix where the distinction between the two is deemed important. the description and icon options are equally obvious as to their use. name and description. The description field is actually unlimited in length and reasonably permissive in the characters it may contain. Long descriptions will be truncated in the interface for brevity however the full version of the description will appear under the report template’s advanced options. The name is clearly the name of the report template as it appears in the reports section. This will take a copy of all the report’s options and sections while leaving the original report template unchanged. For the bulk of users.

CSV or other formats.e. Thus any saved reports can be exported exactly as is without the need to regenerate them. 309 . These stages are always transparent to the user. Viewing a report is the final step in this process and renders the report data (assembles the model) according to one of the output methods. clicking on a report template link or a report itself from either the reports or recent and saved pages will complete the missing steps and show the requesting user the final model. changing the rendering method does not regenerate the report. again using the building-block metaphor. Changing Report Formats The reporting system provides multiple output formats. Changing Report Date Ranges From the reports page. i. and while viewing a rendered report it is possible to change the date range over which the report data is accrued. 1 Retrieve assembly instructions. 4 Assemble the model and present to the awaiting small child. but do deserve some explanation.e. Note this would require the regeneration of the report data afterwards. A report template provides the first stage of this process. 3 Place all the required pieces into a box along with its instructions. this renders the report out into HTML. i. 2 Collect necessary parts from warehouse. Excel. generating a report will conduct steps 2 and 3. The Recent and saved page shows the list of boxed models ready for assembly. PDF. basically the construction of a rendered report requires the following steps to be undertaken. The Reports page lists the report templates or instruction sheets. it is the instruction sheet for building the model. i. the answer to which is reasonably simple.e.Smoothwall Advanced Firewall Administrator’s Guide This should leave the question so when does the model actually get built. making the export process relatively quick in comparison to the generation process. while HTML output is the most commonly used there are additional formats which might allow for further analysis or interpretation of data. executing it. only the way it is presented. The formats available are: • Adobe PDF Format • Adobe PDF Format (suitable for black and white printers) • Microsoft Excel format • Comma Separated Value (csv format) • Tab Separated Value (tsv format) Due to the nature of a report and the rendering options.

To activate the Advanced Firewall’s advanced interpreter simply hover the mouse over the desired result. Navigating HTML Reports The HTML rendered version of a report contains a table of contents for quick and easy navigation within the report.Programmable Drill-Down Looping Engine From the report page. Interpreted Results Some results. its icon or one of the output formats shown in the bottom right will use the date range specified at the top of the page. 310 . which may be saved accordingly. Note again. clicking on either the report template name. this will produce a tool-tip which contains more information about the result. such as URLs or IP addresses can present additional information which might not be apparent from the result itself. the preview button here will regenerate a new report according to those date ranges. The table of contents is automatically generated and is based upon the sections contained within the report itself. From viewing a report the date controls appear at the top right of the page next to the table of contents view. that both these actions will generate a new report. Features such as feed-forward and iterative reporting are reflected as titles within the report and consequently as a level of indentation in the table of contents. URLs too can contain more information than is immediately apparent from viewing the URL. This table is accessed by clicking on the contents button in the top left hand corner of the report when it is being viewed. At the bottom right hand of each section is a link to the top of the page (labeled top) this can (obviously) be used to skip back to the top of the page where both the table of contents and rendering format options are presented. For example IP addresses can contain whois information which would allow for greater understanding of the IP address and why it might have appeared.

This option will present the Custom page with the report template used to generate this report already loaded. Saved reports are listed on the Recent and saved page under the reporting section. Changing the Report Once a report has been generated the report template used to create it is stored alongside the report data itself. alternative date ranges or saved to appear on the reports page. any associated parameters but has also retrieved the video title.Smoothwall Advanced Firewall Administrator’s Guide For example: In this example. The URL in question has been truncated to show only the immediately relevant information (the protocol. It is also important to note that a saved report is format-less and as such can be rendered to HTML. pdf. While viewing a report there is an edit report button presented underneath the table of contents which leads to the Custom page with the report template used to generate the viewed report already loaded. csv etc as desired. Saving a report will stop it being subject to the 48 hour rolling deletion which tidies the reports list each day. description and thumbnail from the YouTube server. the user has used the advanced interpreter to show the result for a YouTube video. Note again that this is a copy of the report template and so may be manipulated as desired. Saving Reports Reports can be saved for viewing later if this is desired. and can be viewed. and can therefore be used to produce a new report with refined options. This report template is a copy of the actual report template used to generate the report and may be edited as desired without altering the version stored within the report itself. The advanced interpreter is capable of recognizing many different types of URL and will present them in an appropriate manner. underneath the report’s icon is a link to Edit report. deleted and reused (by means of viewing the template used to generate them) in the same manner as a recent report. When viewing the recent and saved page. This is achieved in numerous ways depending upon location. 311 . domain and path) and hovering the mouse over the line in the results produces a tool-tip which not only shows the full URL.

these are pre-determined report templates which will allow further investigation relevant to the item in the section in question. This is in a way analogous to the feedforward reporting which will be discussed later. 312 .Programmable Drill-Down Looping Engine Investigating Further (Drill down) Each report section when it is generated can present a series of related or drill down reports. Note the list of related reports is determined by the report section and cannot be altered. Drill down reports will be stored notionally underneath the report in the recent and saved section. Related reports are presented in a variety of ways depending upon the number of options available. When a result has more than one related report associated with it then clicking on the result will produce a menu of the available related reports. clicking on the relevant option will result in generating the relevant related report. however this is a manual process which allows for a particular result to be investigated further. To better illustrate this behavior. imagine a report taken from Guardian which lists the top users who have requested internet sites via the Guardian content filter. when a particular result has only one related report available clicking on the result itself will lead to the related report for that result. and the section which is being used. This list would present a series of usernames. suggested drill down reports might allow for a report on the actual sites visited by an individual user. the full web activity for that user and so on.

A list of available sections is included on the Custom page under the heading Available sections. Groups are shown as folders in the included sections list. The available sections list is structured as a simple tree. with the sections belonging to each module categorized accordingly. 313 . which shows a simplified form of the sections currently included in the template report being edited.Smoothwall Advanced Firewall Administrator’s Guide Creating Template Reports and Customizing Sections Report templates and customized sections are managed and manipulated from the Custom page on your Advanced Firewall’s interface. once created they can be included into new report templates without having to redefine them. and that sections can appear more than once in a template report. sections can be included anywhere in a report and ordered to make logical sense to the reader. the templates folder at the bottom of this list includes any existing report templates for inclusion as mentioned above. On the right of the available sections list is the included sections list. This list deliberately mirrors its counterpart and denotes both the list of included sections and any groups that have been configured. Creating templates is a matter of choosing. existing template reports are also included in this list so that. Note multiple sections can be added at once. To add and remove sections from the included sections list sections can be highlighted by clicking on them and the add or remove controls used accordingly. Ordering Sections Save the caveats detailed under grouping sections. It should be noted that when a template report is included within another template report its options. Subsequent modifications to the template will not update any other templates that include it. and sections are copied into the template at the time of its inclusion. To reorder a section simply select it from the Included sections list and press either move up or move down depending upon which direction you wish to move it. grouping and refining a number of sections into the correct set of instructions for the Advanced Firewall’s reporting engine to interpret and use to extract and manipulate data from the Advanced Firewall’s logs. Note that sections cannot be moved outside of their containing folders.

which are simply special cases of section groups. logically similar sections to share options. By containing groups within groups complicated reporting structures can be developed which allows reports to automatically drill down and produce fine grained detail from a high level overview. An option with an override will use the value given to that option rather than the option it receives from its grouped parent. this name provides a group to be given a title which will help with understanding the template structure. a section which produces results of a suitable type can be nominated and other sections in the group will iterate over the results from that section. and does not bear any influence on the report creation. They may also have a small visual indicator shown next to them in both the grouped options section as well as the regular options panel for each section. this is used for controlling iterative and feedforward reporting and will be discussed in the appropriate sections. these sections could be grouped together and share the username option. When options are grouped together they will be presented as an option in the group under a section called grouped options. For example a Domain activity section could be configured to show the top 20 domains visited by a particular user. This may be grouped. the Guardian web content filter module provides a number of reports which can show aspects of web browsing activity as conducted by a particular user. Next to the override option is a small description denoting why the option is inherently disabled. The second option is a drop down list of repeat options. Groups also form the basis of both iterative reports and feed-forward reports. the results of a feed-forward section or from one of the list provided in an iterating group. Understanding Groups and Grouped Options The first details shown in a group are a text entry field allowing for the group name to be changed. allowing for it to be entered only once when the report is generated. Groups can contain other groups. Primarily grouping options is done to allow multiple. feed-forward or repeating. Options which are not grouped. the variable to iterate over can be chosen from the options common to the grouped sections. and where the value comes from. a Browsing times section could be configured to show the times of day that a particular user tends to browse the internet. A section group is a logical construct which allows for logically connected sections to be collated together.Programmable Drill-Down Looping Engine Grouped Sections Many of the underlying concepts in Advanced Firewall’s reporting system are based around the notion of grouped sections. This may be any number of common user interface 314 . meaning that the value will be assigned by the parent group. Grouping two sections together will produce a number of consequences and will allow for advanced options such as iteration and feed-forwarding to be used. The list of sections contained within the group is listed below the grouped options each in its own collapsible section. which may of course be standard groups. For example. thus a group containing two sections both of which possess a limit field (the number of items to show) can have different limits applied to them. for example if two options are given slightly different names. with a visual indicator allowing them to be related to their grouped counterparts. fed-forward or iterated over will be displayed using a format which is appropriate to the type of value expected. This indicator shows which options are grouped together and allows for them to be quickly collated together. but require the same value. For iterative groups. iterative or feed-forward groups. Each option may be overridden by means of ticking the corresponding checkbox. For feed-forward groups. Both of these sections have a username field. They may also contain single sections. Grouped options will be included for each section here alongside regular per-section options.

By chaining these two report sections together it is possible to produce a report template which will detail the configured external interface for Advanced Firewall. as well as include the Network Interfaces report. Group Ordering Sections within a group can be re-ordered. 315 . In this case it would be possible to select the local network interfaces that are desired and repeat the section once for each of the desired interfaces. The Individual Network Interfaces section can provide this information. and therefore it is removed from the normal section ordering and placed above the grouped options list in the group’s display. where the list of values to be iterated over is produced as the list of answers from a particular report section. These in turn can be used to show a list of all network interfaces which are configured on Advanced Firewall. a single group.Smoothwall Advanced Firewall Administrator’s Guide elements (checkboxes. These sections can be chained together using a mechanism known as feed-forward where the results from one section are used to define the behavior of another. text entry fields etc) and may provide auto-complete features to assist in finding an appropriate value. To allow for this the reporting template system in Advanced Firewall allows for a section’s results to be used as the source of options for subsequent sections. Naturally a feeder must be included before the sections it is feeding. and then display the advanced usage and bandwidth statistics from it. but with one particular option changed each time. this notionally changes nothing other than the order in which they are included in the final report once data has been acquired. when provided will replace values as would be expected. select boxes. feed-forward is actually a special case of iteration. Groups utilizing feed-forward will require one of their sections to be promoted (denoted as the feeder) to a state where it will provide the answers for which the other sections within that group are to be repeated. This information provides limited details for the network interface such as its IP address and other details. For this reason it may be desired to repeat a section using mostly the same options. Feed-Forward Reporting Due to the jigsaw or building block like nature of reporting sections a particular report section may only provide part of the information which is desired. There are exceptions to this rule however. For example it may be desired to see the Individual Network Interface section for several (but notably not all) of the local network interfaces. or those which are configured for internal or external networking. take the Network Interfaces and Individual Network Interfaces sections. Any overridden options will also be displayed and entered in this manner and. Note that there is potential overlap here. However. In this example the Network Interfaces report can produce one or more Interfaces. feed-forward would produce a list of all internal interfaces. username or IP address for example. but needs to be supplied with the name of the interface for which to provide details for. Note that while it was covered first. however it does not show monthly usage statistics. To lead by example. Iterative Reporting Some report sections only deal with a limited set of data. and if the desired result is a list of all the local interfaces then feedforwarding could be used instead. rather than the complete picture. which is one of the options for the Individual Network Interfaces section.

along with the potential work load that this would require on Advanced Firewall. Note that only sections at the same level in the included sections tree can be grouped together. Group Activity Section 20 x User Activity Section 50 x URL Activity Section 316 . that they must produce the list of results to iterate over prior to iterating over them. this would result in the following execution tree. iterative or grouped options. and so may affect any feed-forward. This is due to the nature of feedforwarding reports. For example. this will form the basis of the feed-forward. ungrouping sections will remove any properties that the group contains. By choosing a section to feed-forward the results from. It should be noted that when feed-forward is desired the section producing results should be included in the group when it is first created. this section is removed from the normal flow within the group and is instead included as a feeder section. Note. Some care should be taken when choosing sections to flow into each other. the Network ARP Table section produces a list of interfaces which the connection is on. The result is labelled as Connected Interface and is of a type suitable for forwarding into the Individual Network Interface section. the top 50 users within each of those groups and the top 100 banned URLs each of those users attempted to request is entirely possible. moving all its contained sections to the same level on the included sections tree that the group previously occupied. Feed-forward results pass from one variable into another. however generally results such as username should be taken to be suitable for feeding a username field. When iterating over a grouped option. However. Creating a feed-forward enabled group is done in a similar manner. however this time under the Repeat drop down a list of sections is included under the title using results from a section. Ungrouping a group will disband that group. however the variables are named in a way which makes them human readable. Options which may be used in this way are included under a heading (in the drop down menu) of based upon grouped option and the list will contain most of the options that the grouped options section contains. but not always identically for the sake of clarity. Additional caution should be taken when considering feed-forward reports as to the volume of data produced. a report which shows the top 20 groups within an organization. For example. that option is no longer available in the group.Programmable Drill-Down Looping Engine Grouping Sections To group a number of sections together they should be selected from the included sections list and then grouped using the group button. Creating Feed-forward and Iterative Groups Creating a group construct for use with feed-forward or iterative operations is done in the same way as creating a normal group. Similarly the ungroup command should be used to either disband a group or to remove a single item from an existing group. the desired sections should be grouped and the option which will form the basis of the iteration selected from the Repeat drop-down which can be found immediately above the grouped options section for that group. To create an iterative group. as well as the bottom right hand side of the section’s description in the available sections list. The results returned by each section are visible under the results tab on the section in question. although a group can contain any number of items including other groups. the group folder will then be removed. Ungrouping a single section will move that section up the tree to the same depth as is occupied by the group that it has just been removed from.

Exporting Options Each report section provides a list of options which define its behavior. Creating a template for this information for each user within an organization is time consuming and unwieldy to say the least. however it would also have the added effect of allowing a user to turn this option off when using the template. choosing to export the username field prior to creating the report template would mean that the username field is present for this template report on the reports tab on the Advanced Firewall main interface (Logs and reports > Reports > Reports). It would also require the execution and calculation of the top URLs section up to a thousand times. In this particular example a domain activity section could be included in a report template. This behavior may be defined at a later stage to make the report template truly flexible.Smoothwall Advanced Firewall Administrator’s Guide 100 URLs Hence. or potentially the results for a thousand users. and have its Denied status checkbox enabled. 20x50x100 URLs. It is for this purpose that section options may be exported. assuming a reasonable time period for the calculation of each. Swapping to the export tab would show a list of all the available options for this report. 317 . Choosing the Denied option on the export tab would again make this setting available outside of the report template (on the reports page). such a report would potentially take several hours to compile and be bewilderingly detailed for any person who chooses to read it. similarly typing a username into the section’s username option (on the options tab) allows the template report to create a default username. For example a domain activity section can take a username value to show the domains requested for a particular user which were subsequently banned. which can be changed by the person using the report template. and hundred thousand URLs.

Report templates are structured into one of the following folders on a standard Advanced Firewall installation.Reporting Folders Reporting Folders Report templates can be arranged into a common hierarchy to allow for like purposed report templates to be kept together and alleviate some of the confusion in finding the desired template. Email Firewall and networking System Trends Users IP address analysis IP address analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Top IP addresses Top users User analysis User analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Web content Per category Blogs Blogger Blogs WordPress Category analysis Image and video sharing Dailymotion Flickr Fotolog ImageShack ImageVenue YouTube 318 .

report templates can be placed in any folder as desired. 319 . This option contains an indented drop-down list of available folders.Smoothwall Advanced Firewall Administrator’s Guide News BBC News CNet CNN News Slashdot Reference and educational IMDB Shopping and online auctions Amazon Wikipedia Craiglists Ebay Shopping and online auctions Social bookmarking Delicious Digg Reddit Stumbleupon Social networking Bebo Facebook Friendster Hi5 Linkedin Myspace Orkut Social networking Twitter Sport BBC Sport ESPN Sport Web portals and search engines AOL Google Search engines Windows Live and MSN Yahoo Site analysis Top categories Top domains Top URLs Top web searches The destination folder for a report template can be set when creating the report template itself by means of the Location option.

320 . the intervals available are: • Daily – each day at the time allocated • Weekday – each working day (Monday to Friday) at the allocated time • Weekly – every week at the allocated time on the same day of the week as the first report. Creating a Folder To create a folder simply navigate to the appropriate location in the hierarchy and click on the create folder button next to the location bar. A location bar is also present along the top of the Reports page which allows users to navigate the folder structure. Note. Folder navigation is achieved by clicking on the folder name. numbers and a limited set of punctuation symbols. Only empty folders can be deleted. this will create a new folder called new folder with the ability to rename it. which is the main location to use to find report templates and report folders. Repetition can also be disabled if it is not desirable to receive a report at regular intervals. Renaming Folders Deleting Folders Folders can be deleted from the Reports page by pressing the red cross icon immediately below the folder image. • Monthly – every month at the allocated time on the same day of the month as the first report. Scheduling Reports It is possible to schedule a report template to be executed at a particular time of day and repeated at desired intervals. Entering the name that is desired into the text box that is present and clicking rename will change the name of the report folder. A new folder should be named using letters. so care should be taken to ensure that all report templates and other folders have been removed before deleting a folder. Clicking on a folder higher up in the hierarchy provides a list of alternative folders on the same level of the tree this provides a faster means to navigate the list of available folders. this limitation is in place because folder and report template deletion cannot be undone therefore such potentially dangerous actions are deliberately long winded. Reports generated in this way may be saved for use later via the recent and saved reports section and/or emailed to a list of people as an HTML embedded email or plaintext email. Scheduled repeats allow for the automated generation of reports at specific intervals. It also provides the ability to rename folders and edit and remove report templates.Scheduling Reports Folders can be created or deleted from the reports page. Note that report folder names must be unique at the same level. Options exported to the Reports page may also be set on a report by report basis so it is possible to schedule a particular user (the sales manager for example) the web activity for the sales group using a web activity report template and another user (the support manager) the web activity report for the support group by means of the same report template. Scheduled reports are deliberately flexible and present a full list of all report templates to be scheduled.

and display those results in the final rendered report. generators and linkers. There are two variations to portal permissions which dictate exactly how a report might be used. This is achieved via a report. Access in this context means that they are able to generate and view the report data. When it is generated via the portal this report will by default only be available to the user who created it. or to one or more other portals as desired. regardless of which portal that user was in. Automatic access allows this report to be made automatically available to other users who share the author’s portal. or a particular report template. some sections generate results which are intended for use in feed-forward reports and are only really useful in that context. The Automatic access permission of portal is a special permission which allows a generated report to be assigned to all members of the portal belonging to the person who generated the report. While all report sections generate results. a report template will generate a report when it is used. To clarify this. Automatic access allows a user’s reporting activity to be made available to other users via the portal. Portal Permissions Reports can be made available to individuals who do not have access to the Advanced Firewall administrative interface via the Advanced Firewall user portal. Reporting Sections Generators and Linkers Reporting sections can be divided into principally two types. 321 . Normal report permissions allow a user via the portal access to either a particular report.Smoothwall Advanced Firewall Administrator’s Guide Scheduled reports can also be made available to particular portals using the report template’s portal permissions. or report template’s portal permissions. Since portal permissions can be configured to behave differently depending upon the portal the generating user is assigned to it is possible to assign a specific portal for the scheduled report to be generated by.

and the time period during which they were using it. Includes details about the hardware. For example. This information is perhaps informative. 322 . reports which might not be able to associate activity with a particular username. but not particularly. This section will take a Guardian username (be it derived from Active Directory or other such authentication mechanism) and show the IP addresses that are associated with this user in the Guardian web proxy access logs. the Guardian module provides a report section entitled Per user Client IP addresses. Standard sections will show up in the available sections list in a manner similar to the following. It will also show the timestamps that these hits occurred at. title and any results that are returned for use in the system’s feed-forward ability. there are however several big reports which defy such description and require a more in depth discussion. to an IM conversation. VLANs and VPN interfaces. General Sections The bulk of Advanced Firewall’s reporting sections are reasonable easy to describe and are detailed quite well by their descriptions. these will be covered later. configuration and recent network activity for each interface. so using a linker section such as the one described above would be able to feed from a username.Reporting Sections For example. to an IP address. This report section lists the interfaces available on Advanced Firewall. The IM module however does record the IP address used in these conversations. External NIC interfaces. This shows the section’s description. modems. Client IP address and Time-Period are both filters which can be applied to other reports. Network Interfaces A list of the configured internal and external network interfaces on the system. However the results. however users are unlikely to (not to mention forbidden from) using their work usernames as their local usernames for such conversations. including any internal NIC interfaces. By this mechanism it is possible to deduce the IP address a user has been seen to use. the IM module provides tracking of Instant Message conversations.

URLs entered in this fashion can be complete (as in the above example) or can alternatively be partial including a combination of protocol. curious URLs. External and VPN interfaces as well as the ability to show or hide any disconnected interfaces.stumble-upon.com.com a common enough concept with regards to the absence of www. so any URL starting with / would be viewed as simply the parameters. domain and parameters. domain and parameters or the parameters themselves. For this reason it is possible to switch the URL recognition options in the Advanced Firewall reporting system into dealing with URLs as regular expression matches rather than strict matching. However some explanation is required as several of the more advanced features of the Guardian reports require some manipulation of the URL. However it also receives some of its content from cdn. Separation is effectively done from the right hand side backwards.stumble-upon.stumbleupon. companies and organizations using a variety of load balancing techniques. sub-domains and a variety of techniques which can only have been considered a good idea at the time. a URL entered into the Advanced Firewall reporting system will be automatically highlighted in color to denote where the appropriate parts of the URL are being extracted from. 323 . the protocol. protocol and domain. A URL fragment starting with characters and ending with the string :// will be interpreted as a protocol.Smoothwall Advanced Firewall Administrator’s Guide The options available to this interface allow you to discriminate between Internal. The Anatomy of a URL URL processing in the Advanced Firewall reporting system is achieved via a series of mechanisms which automatically split a URL into a number of internal parameters which are used to speed up data processing and achieve the desired results efficiently and with minimal need to understand the dynamics of how an individual web site is constructed. StumbleUpon a Social bookmarking site exists not only at the domain www. To use a partial URL the URL entered should be of an appropriate format depending upon the combination of parameters which is desired.com and stumbleupon. A URL which starts with a character other than / and does not end with :// is viewed as being the domain. This section returns an interface which may be passed into a report section such as the Individual network interface report section. especially due to some web sites. A Advanced Firewall reporting URL is extracted into three distinct components.com but also stumbleupon. For example. As can be seen. Deciphering a URL can however be a none trivial task.

soft-blocked.Reporting Sections These options can be turned on individually for the protocol. other than the protocol there is nothing to distinguish HTTP and HTTPS methodology. those being Almost blocked. HTTP Request Methods and HTTPS Interception The nature of HTTPS interception means that in essence a HTTPS intercepted site should be treated no differently to a non-HTTPS site in terms of its logging. To differentiate between the two it is possible to set the HTTP request method (optionally along with the protocol from the domain) to catch HTTPS content which has been intercepted and that which has not. Exception – The site in question was not filtered for one of several reasons. This shows content which contained a number of phrases which elevated its score. Infected or Modified. but did not quite cause the site to be blocked. Guardian Status Filtering Each URL which passes through Guardian is subjected to a level of filtering. Guardian however also logs connections made to HTTPS servers where the content of that communication has not been intercepted. Almost blocked – This denotes any result whose score for phrase analysis was between 90 and 100 (the default score over which a result is blocked). domain and parameter parts of a URL and for speed / processing reasons it is advised that they be turned on for the minimum of the parts which are possible. indeed. HTTPS connections start with a HTTP CONNECT request. the client IP/Group is not subject to filtering etc. Hence. The meaning of these is covered below. Additionally setting the URL to include the string https:// will return only those results which have been HTTPS intercepted as it restricts the results to those which are via the HTTPS protocol and using a connection method other than CONNECT. The reasoning why the page was banned can be determined by adding the include status option on those reports which support it. temporarily bypassed. the resulting action of that filtering is logged and can be used to filter any results within the Guardian reports. 324 . Denied – This denotes sites which were blocked by the phrase or URL filtering in the Guardian product. searching for options other than CONNECT will provide results which may have been subjected to HTTPS interception. it may be that it is whitelisted. if the connection is not being intercepted this is the only part of the communication which is logged. A URL may contain one or more of the following status messages. Denied (or blocked). Note however that this can change the ordering of the results. Exception. If the connection is being subjected to HTTPS interception then the requests within the connection are additionally logged.

‘this’. or to enforce AUP concepts such as safe search. however search filtering can be made case sensitive by usage of the case sensitive search option under the advanced options for this report. ‘at’. ‘an’. ‘was’. this list is as follows: ‘i’. client IP address and Guardian status are presented for this report. Additional filtering options for username. Search terms are denoted as being either an individual word. ‘are’. Search words and phrases are assumed to be case insensitive. This might be due to a security rule (such as removing JavaScript etc). ‘be’. ‘as’. ‘or’. ‘of’. Words such as ‘and’. about’. ‘la’. ‘who’. ‘on’. ‘the’. ‘en’. ‘that’. ‘how’. ‘a’. ‘is’. ‘earth’ and ‘destroyer’ and one search phrase. 325 . unlike search phrases can additionally be restricted to omit grammatical sugar or stop words. ‘de’. ‘by’. ‘where’. ‘to’. ‘com’. Discovering search terms and showing them is achieved with the search engine search strings and terms report section. as the vast majority of searches are done regardless of capitalization. or phrases that have been encountered within the Guardian filtered URLs. ‘und’. For example: Searching for ‘babylon 5’ earth destroyer would be considered to be three search words. searching of search terms. Note that the search term reporting will treat any quoted strings as a single search word. ‘for’. however the section is essentially designed to show the top search terms. ‘will’. This section has a few peculiarities to its options which will be covered below. ‘babylon 5’. ‘it’. ‘what’. ‘with’. ‘the’ and ‘www’. Search Terms and Search Phrases There are three facets to the search term reporting on a Guardian system.Smoothwall Advanced Firewall Administrator’s Guide Modified – Determines content which was modified as it passed through the Guardian filter. ‘when’. Both search terms and phrases can optionally be considered as regular expression matches via the appropriate option under the advanced options. or the entire phrase which was searched for. Note that a list of Blocked search phrases can be achieved by use of the Guardian status denied option under the Guardian status options. The list of common search terms is taken to be the list of words omitted by the Google search engine. ‘from’. Search terms. ‘of’ and ‘the’ are usually omitted by most search engines and this can be taken into consideration by using the option individual (uncommon) search terms on the search term matching drop-down box. ‘in’. group. filtering by search term and selecting banned search terms.

Note that all search term filters operate over the search phrase rather than individual words and can optionally be changed to using regular expression matches rather than the default mode of operation which is strings containing this phrase. client IP address or group filter etc. The protocol and domain fields in the URL 326 . URL Extraction and Manipulation The Advanced Firewall reporting system for Guardian contains an advanced reporting section called URL interpretation and reporting which allows for a sophisticated set of URL manipulations to be conducted to extract information from the Guardian logs. which in this example is a regular expression URL which refers to the BBC news web site.Reporting Sections Filtering by Search Terms As explained earlier individual Guardian reports can be filtered by the search terminology they contain. The most important option for this report section is the URL. This reporting section has a lot of reasonably complicated options. changing the number of results or any username. those options which are not are grayed out in the example above and will be omitted from any further discussion as they apply the expected limitations on the search results. To search for blocked search terms this filter can be used in combination with the Guardian status filters. This filtering is achieved by using the individual report sections Search term matching options presented under an individual section’s advanced options. however only a few of them are relevant to the discussion of its operation. For example it is possible to show the top ten domains which contained a search request for the word badger.

in this case.uk/1/hi/technology/7878769. ( ). This includes the ability to extract a YouTube video name from a YouTube video ID.com/get_video?video_id=6rNgCnY1lPg http://www. in this case. In these cases the reconstructed URL is a potential URL that might have been used. the URL is rarely of interest to anyone viewing the resultant report although by default it would be included as the section title for the feed-forwarded results. 327 . in this example we can see that the parameter match 2. or the ability to extract a page title from a HTML page’s header. This would mean that entering the option technology into the Parameter match field would produce the top 50 news articles from the technology section of the BBC News web site. This value is subsequently used to uniquely identify the relevant URLs before producing a list of the top matches.co. To elaborate on this matter both of the following URLs: http://www. would be used to uniquely identify this URL. or can reference one of the result’s feedforward values by means of a wildcard. The parameters field however does contain two regular expression matches. extract the <title> section from the page header and include it in the report. The options of Match to compare domain to and Match to compare parameters to allow for values to be substituted into the appropriate URL regular expression match to further filter the URL. The parts of the URL extracted by these matching parts of the URL regular expression are labelled 1 and 2 respectively and the appropriately labelled term will be used by the Match to extract from parameters and Match to compare parameters to fields to further analyze the URL. In the above example the Match to compare parameters to value is 1 which means that the value entered into the Parameter match box would be substituted into $1 in the URL. even if it is not the actual URL that was encountered. however the system would then have to construct a probable URL for the content. In this example. Domain match and Parameter match – these options allow for additional information to be fed into the searching and will replace particular matches in the URL with the appropriate values. thus for each of the reconstituted URLs the system would retrieve the HTML (. Of these two parameters one is the section from the BBC news site this article is from. the other is the article name. the parts between the opening and closing brackets. being the value of 7878769 or the article number.stm The two matches would provide technology and 7878679 as matches.com or .uk address version.co. Results title – This report section is feed-forward enabled and can produce a list of regular expression URLs to identify and extract matching content. and could be matched accordingly (giving two hits for this video). which would in this example reference either the . $2. this reconstructed URL is included in the report alongside the match. there are two matches which are extracted from the URL. This can be straight text.uk/get_video?video_id=6rNgCnY1lPg are for the same video.bbc. some sites such as YouTube for example can host several different URLs for the same video ID.stm) page from the BBC News web site. Note. The Match to extract from domain and Match to extract from parameters options present which regular expression match ($1. When this option is ticked. Recognise common URLs – This option allows the reporting system to recognise common URLs for known sites. the top news articles. Rebuild and include example URL – As part of its drill down and feed-forward abilities the URL extraction report section reconstitutes a probable URL for the linked material. For this purpose it is possible to override the title used for the feed-forward sections by entering a value into the results title box. if a BBC news article URL is considered: http://news. $3 etc) to extract from the URL for the purposes of identifying unique content.youtube.youtube.co. In this example we can see that the option is enabled. they do not contain any regular expression matches (anything in brackets) and as such will not be used for anything further in this report section.Smoothwall Advanced Firewall Administrator’s Guide in this example are reasonably straight forward. However.

or class of machines. Several Advanced Firewalls for example can be used as a cluster of web content filters or alternatively the system might be configured to receive the browsing activity from several mobile users via the MobileGuardian content filter. %matchtitle% would be the <title> extracted from the relevant HTML page. 328 . Alternatively values of %domainmatch%. %parametermatch% or %url% could be used. The URL once again contains a series of regular expression matches. or internal web sites which may be processed by Guardian but outside of the scope of the standard templates.Reporting Sections In the above example. The origin filter on a Advanced Firewall report allows for the class of machine or in some cases the individual machine to be used to restrict the results. When these results are aggregated onto a central reporting Advanced Firewall system they each contain a unique identifier to state where they came from. which would present the feed-forward result of matchtitle as the title for any feed-forward sections. Note: The list of originating systems does not include a list of individual MobileGuardian installations as there may be several dozen or more of these. In this manner.*) to accommodate YouTube being hosted via multiple domains. This means that the section can easily be tailored to accommodate new web sites. In this case. This identifier can be used to filter particular results to have originated from a particular machine. In this example the URL extraction section is being used to display the top 50 video results from the YouTube site. this time the domain also includes a series of wildcards (. the URL extraction section provides one of the most flexible tools for extrapolating information about particular web sites with no in-built understanding of the site. we can see that %matchtitle% is used as the value. Origin Filtering Advanced Firewall contains the ability to aggregate reports over several different machines. sub-domains and TLDs.

329 .Smoothwall Advanced Firewall Administrator’s Guide Note: The recommended configuration for MobileGuardian installations is to have MobileGuardian derive its configuration from a specific authentication group and so the default template reports have been constructed with that in mind. By default MobileGuardian filtering would be achieved using a group filter for the appropriate group however should more advanced processing be required the Origin filter could be used instead.

Reporting Sections 330 .

• Clients should usually not use an ID. • Hosts on dynamic IPs should use the administrator's email address. i. that the IDs. AH mode uses IP protocol 50. 331 . • A different local network address must be configured at both ends of the tunnel. they cannot both use the default of 192. it is possible that one of the ISPs involved is blocking the ESP or AH packets. Be consistent with IDs. Likewise.0. Check that it is possible to ping the IP address of the RED (Internet) NIC on both Smoothwall Systems. • To simplify the problem.e. Failure to get a ping echo would indicate that: • The remote Advanced Firewall is not running • You have the wrong IP address for the remote Advanced Firewall • There is a network connection problem – check routers. For example: • Hosts on static IPs should use the hostname for the gateway as the ID. IP addresses and Remote network addresses are mirrored. ESP mode uses IP protocol 50. there must be a default route (gateway). At least one field in the subject must be different. attempt to get a connection with shared secrets before moving on to certificates. Likewise the Alt (Alternative) Name field must be unique for each certificate. Site-to-site Problems All the PCs that are to participate in the VPN need to be fully operational and visible on the network before attempting to install and configure VPN software. • Each node on the VPN network must have its own unique certificate. if the tunnel goes into OPEN mode but no packets will flow between the two networks.Appendix C Troubleshooting VPNs In this appendix: • Solutions to problems with VPNs. This is where most people make mistakes. hubs and cables etc. The subject is a composite of the information fields supplied when the certificate is created.168. In particular. unless they are using an unusual client that requires one. • Verify with the ISP that VPN traffic is not being blocked by any firewall or router used by the ISP. • Check the routing information displayed in Advanced Firewall's status page. Specifically. Obviously fields like company name can be common to all certificates. ensure there is no conflict with another network address.0. • There is a problem at your Internet Service Provider • Advanced Firewall has ping disabled via the admin interface • Verify IP addresses by checking the Networking > Interfaces > Interfaces page for the appropriate Ethernet card. • Verify the symmetry in the tunnel specification.

Also verify the certificate is within its valid time window. though. the connection will be refused because the certificate is not valid. This can make diagnosing problems difficult if the logs on the Advanced Firewall gateway are not sufficient for finding the cause or causes of connection issues. As a last resort. network browsing is facilitated via network broadcasts. you must create a registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakle y Add a REG_DWORD value named 'EnableLogging'.log The following URL is Microsoft's own guide to debugging L2TP connection problems: http://support. for instance.325034 Note: Smoothwall does not endorse manually editing the registry. This problem is exactly what Windows network administrators experience when connecting two or more subnets via a router. However. Note that the error messages produced by the L2TP client can be somewhat strange. and the time is set incorrectly by only an hour or so. single subnet Windows networks. This is because network broadcasts do not normally cross network boundaries. it is necessary to make sure both ends of the tunnel are properly configured. Microsoft's L2TP client does not produce any log files.L2TP Road Warrior Problems L2TP Road Warrior Problems The most likely problem with L2TP road warriors is establishing the initial IPSec transport connection. Check the IPSec logs first when looking for causes of problems. There must be a CA certificate. or 0 to disable it. Set the value to 1 to enable logging. you can also enable debug logging on the Windows client. 332 . The most likely reason for a failure at this stage is an incorrect or invalid certificate. If the certificate is newly created.microsoft. the VPN service must be restarted.com/default. Windows Networking Issues In order to facilitate network browsing under Microsoft Windows across the VPN. such as routers and VPNs. If a road warrior were to connect in. The same problems that can occur with any other type of IPSec connection can also occur with an L2TP road warrior. Incorrectly altering registry values may result in registry corruption and render the computer unusable. Modem not responding can mean that there was an IPSec certificate error. Enabling L2TP Debugging In a default configuration. because the vast majority of parameter values are predefined it is generally not likely for an IPSec protocol error other then a certificate problem to occur. present in the system. network neighborhood will just work without any configuration required. If you are familiar with setting up multiple subnets of Windows machines. First of all. then the problem to be solved is the same. verify the correct certificate is installed using the Microsoft MMC tool. After changing this value. In these small networks.aspx?scid=kb. it would be unable to browse the network unless the administrator has configured the network to enable it. From the command line: net stop policyagent followed by: net start policyagent The log file will be in Windows system directory: \debug\oakley. In small. To enable IPSec-level logging if you are using Windows 2000 or XP.en-us. MMC has facilities for verifying that a host certificate is recognized as being valid. as well as a host certificate.

such as two subnets of Windows machines with a VPN between the two. attach to printers and shares. the following notes are provided to assist with configuring your network to enable network browsing across the VPN. 333 . For inexperienced Windows administrators. This WINS server is analogous to a DNS server for the Windows machines. the problem to be resolved is identical to that which the administrator would face with two normally routed networks. you will require a WINS server. Each of your desktop machines and servers should be configured to use the central WINS server in its network properties box. Again. The built in L2TP client for Windows can be configured to accept WINS and DNS server settings from the server. These parameters are configured in the Global Settings page. it is necessary to set-up either one WINS server and share it between the subnets. normally running on your PDC. If this is done then when they are connected to the office network via the VPN. or have one on each and configure a replicating system between the two. In more complex arrangements. they should be able to browse the office network. the details depend on the client in use.Smoothwall Advanced Firewall Administrator’s Guide In the case of road warrior connections. For NT networks. Any road warriors connecting in should also be set to use this WINS server. etc.

Windows Networking Issues 334 .

1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server . it can support host IP addresses of 192.1.1.0/24. i.255. a DMZ has been configured with a network address of 192.1.1.3 Destination IP: 192.3 – This server will have an internal IP address of 192.0 Comment: External Alias .1.1.3 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .1.168.168.168.1.1 through to 192.1.3 Destination IP: 192.3 POP3 335 .1.1.168. Basic Hosting Arrangement In this example. To configure this scenario: 1 First create the external aliases: Alias IP: 216. Within the DMZ there are two servers: Web server .e. Mail server .3.1.2 and present an external IP address of 216.1.255.1.2 2 Alias IP: 216.1.168.3 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .0 Comment: External Alias .255.1.1.3 Next.1.1.254.168.168.3 and present an external IP address of 216.2.2 Destination IP: 192.2 | Netmask: 255.1.255.2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.168. add the port forwards: Protocol: TCP External IP: <BLANK> Source IP: 216.Appendix D Hosting Tutorials In this appendix: • Examples of hosting using Advanced Firewall.3 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.2 – This server will have an internal IP address of 192.1.3 | Netmask: 255.

It should only be accessible to external hosts in the range 100.255.0/24.100.4 Next.1.168. Within the DMZ are three servers: Web server .1.1.2.1.2 HTTPS Protocol: TCP External IP: 100.2 Source port: HTTPS (443) Destination port: HTTPS (443) Comment: Web Server .3 | Netmask: 255.0 Comment: External Alias .1.1.2 Alias IP: 216.3 Destination IP: 192.0.255.1.3.0 Comment: External Alias .1. add the source mappings: Source IP: 192.2 Destination IP: 192.168.2 – This server will have an internal IP address of 192.0/24 and 100.1.2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.2 Comment: Web Server .100.168.168.1.e. It supports both HTTP and HTTPS.0/24 Source IP: 216.1.1 through to 192.100.1.168.3 Extended Hosting Arrangement In this example.3 Source port: HTTP (80) 336 . i. a DMZ has been configured with a network address of 192.1.1.1.1.3 – This server will have an internal IP address of 192.3 Comment: Mail Server .2 and present an external IP address of 216.4 – This server will have an internal IP address of 192.168.3 and present an external IP address of 216.1.255.1.168.2 | Netmask: 255.254.1.101.4 and present an external IP address of 216.4 To configure this scenario: 1 First create the external aliases: Alias IP: 216.1.2 | Alias IP: 216.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .168.255.168.1.1.1.1.1.Extended Hosting Arrangement 3 Finally. Web server .168.1.2 Destination IP: 192.1.1.1.255.1.3 | Alias IP: 216.1.2 Source IP: 192.1.100. Mail server . add the port forwards: Protocol: TCP External IP: <BLANK> Source IP: 216. it can support host IP addresses of 192.0 Comment: External Alias .1.4 | Netmask: 255.168.100.3 2 Alias IP: 216.255.

5 – External IP: 216.1.2 – External IP: 216.1.10.1.10.168.4 More Advanced Hosting Arrangement In this example.5.168.168.2. Internal IP: 192.1.168.1.1.0/24 contains 5 servers: Web Server .10.168.1.168. 192.0/24 contains 3 servers: SQL Server .1. 192. Internal IP: 192.1.168.4 Comment: Mail Server .1. bridged to SQL Server .1.1.1.168.1.1. restricted users.168.1.168.3 Destination IP: 192.3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216. Virtual Web Server .3 – External IP: 216.1.10. it can support host IP addresses of 192.2.2 – Internal IP: 192.2 Source IP: 192.168.1.0.3 | Alias IP: 216.2 | Alias IP: 216.0/24 Source IP: 216.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server . a DMZ has been configured with a network address of 192. i.1.Smoothwall Advanced Firewall Administrator’s Guide Destination port: HTTP (80) Comment: Web Server .168.10.2. same physical host as Virtual Web Server .1.1.4.4 – External IP: 216. Internal IP: 192.4 | Alias IP: 216.2 Comment: Web Server .1.4 Destination IP: 192.1.1.4 SMTP 3 Protocol: TCP External IP: <BLANK> Source IP: 216.4 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server . 337 .168.1. add the source mappings: Source IP: 192.3 Intranet Web Server .1.168.3 HTTP Protocol: TCP External IP: 100. A local private network. Internal IP: 192.3 Comment: Web Server .1 through to 192. Web Server .4 POP3 Finally.100.1.3.254.3.4 Destination IP: 192.4.1.1.1.2 Mail Server [int] .4 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .3 – Internal IP: 192.5.168.6.1.3 Source IP: 192.168.e.1.1. A DMZ network.168.

168.255.4 | Netmask: 255.168. for outgoing mail.1. add the port forwards: Port forwards for example 3.255.7.1.6 – External IP: 216.7 Next.255.1.4 Alias IP: 216.255.1.7.2 Destination IP: 192. same physical host as Virtual Web Server . Protocol: TCP External IP: <BLANK> Source IP: 216.More Advanced Hosting Arrangement Virtual Web Server .3 | Netmask: 255.1.1. out] – External IP: 216.1.1.1.1.168.0 Comment: External Alias .1.168.255.255.0 Comment: External Alias .1.0 Comment: External Alias .3. To configure this scenario: 1 First create the external aliases: Alias IP: 216.168.4 HTTP Protocol: TCP 338 .5.255.1.3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1. Internal IP: 192.3 Alias IP: 216.1.255. relaying to Mail Server [int] .2 | Netmask: 255.255.1. Mail Server [ext.255.1.4 Source port: HTTP (80) Destination port: HTTP (80) Comment: Intranet Web Server .10.1.6 2 Alias IP: 216.6 | Netmask: 255.5 | Netmask: 255.7.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .0 Comment: External Alias .4 Destination IP: 192.6. Internal IP: 192.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 Destination IP: 192.255.7 | Netmask: 255.0 Comment: External Alias .1.6.1.0 Comment: External Alias .255. Mail Server [ext.2 Alias IP: 216.5. Internal IP: 192.1.5 Alias IP: 216.1.168.1.1.1.1.1. in] – External IP: 216.1.2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.

1.7 Destination IP: 192.168.1.168.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .2 Destination IP: 192.2 4 Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.10.168.1.1.2 Destination port: User defined.1.6 Destination IP: 192.1.] .7 Destination IP: 192.6 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.168.2 | Alias IP: 216.1. 3306 Comment: Web Server . add the zone bridges: Zone bridging for example 3. in] .3 Destination port: SMTP (25) Comment: Mail Server [ext.168.1.1.7 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .1.7 Destination IP: 192.1.1. Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.168.5 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.5 Destination IP: 192.10.1.7 SMTP 3 Protocol: TCP External IP: <BLANK> Source IP: 216.1.168.7 to Mail Server [int.168.7 POP3 Next.1.Smoothwall Advanced Firewall Administrator’s Guide External IP: <BLANK> Source IP: 216.3 Finally. Source IP: 192.168.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .1.2 Comment: Web Server .2 to SQL Server . add the source mappings: Source mapping for example 3.7 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .2 339 .

5 & .1.3 Comment: Web Server .1.1. out] .More Advanced Hosting Arrangement Source IP: 192.3 | Alias IP: 216.1.168.5 Comment: Virtual Web Server .168.5 | Alias IP: 216.10.1.4 | Alias IP: 216.4 Source IP: 192.168.1.1.1.1.1.6 340 .6 Source IP: 192.3 Source IP: 192.1.168.6 | Alias IP: 216.6 Comment: Mail Server [ext.4 Comment: Intranet Web Server .

3DES A triple strength version of the DES cryptographic standard. or systems. Algorithm In Smoothwall products. Authentication The process of verifying identity or authorization.Glossary Numeric 2-factor authentication The password to a token used with the token. Active Directory Microsoft directory service for organizations. AES provides high security with fast performance across multiple platforms. 192-bit and 256-bit. B Bandwidth Bandwidth is the rate that data can be carried from one point to another. AUP (Acceptable Use Policy) An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organization’s email and Internet systems. but not secrecy. ARP (Address Resolution Protocol) A protocol that maps IP addresses to NIC MAC addresses. usually using a 168-bit key. Access is only be granted when you use the two together. an alias is an additional public IP that operates as an alternative identifier of the red interface. used together with something you have. It contains information about organizational units. processes. an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it. AES (Advanced Encryption Standard) A method of encryption selected by NIST as a replacement for DES and 3DES. Measured in Bps 341 . ActiveX* A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser. users and computers. In other words: 2-factor authentication is something you know. The policy explains the organization’s position on how its users should conduct communication within and outside of the organization both for business and personal use. AH (Authentication Header) Forms part of the IPSec tunnelling protocol suite. AES supports key lengths of 128-bit. Alias or External Alias – In Smoothwall terminology. ARP Cache Used by ARP to maintain the correlation between IP addresses and MAC addresses. programs. A Acceptable Use Policy See AUP Access control The process of preventing unauthorized access to computers. AH sits between the IP header and datagram payload to maintain information integrity.

Cipher A cryptographic algorithm. Buffer Overflow An error caused when a program tries to store too much data in a temporary storage area. Cryptography The study and use of methods designed to make information unintelligible. Dynamic IP A non-permanent IP address automatically assigned to a host by a DHCP server. DES is scheduled for official obsolescence by the US government agency NIST. DHCP (Dynamic Host Control Protocol) A protocol for automatically assigning IP addresses to hosts joining a network. Denial of Service Occurs when a network host is flooded with large numbers of automatically generated data packets. Cross-Over Cable A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection. Ciphertext is created from plain text using a cryptographic algorithm. DER (Distinguished Encoding Rules) A certificate format typically used by Windows operating systems. Ciphertext Encrypted data which cannot be understood by unauthorized parties. DES (Data Encryption Standard) A historical 64-bit encryption algorithm still widely used today. DMZ (Demilitarized Zone) An additional separate subnet. Cracker A malicious hacker. or requesting the services of. Certificates are created by CAs. established using a modem. isolated as much as possible from protected networks. another computer or program. responsible for issuing and managing x509 digital certificates. This can be exploited by hackers to execute malicious code. D Default Gateway The gateway in a network that will be used to access another network if a gateway is not specified for use. Dial-Up A telephone based. Domain Controller A server on a Microsoft Windows network that is responsible for allowing host access to a Windows domain's resources.(Bytes per second) or Kbps. BIN A binary certificate format. 342 . The receiving host typically slows to a halt while it attempts to respond to each request. non-permanent network connection. Client Any computer or program connecting to. 8-bit compatible version of PEM. A certificate contains owner identity information and its owner's public key. Certificate A digital certificate is a file that uniquely identifies its owner. C CA (Certificate Authority) A trusted network entity. DNS (Domain Name Service) A name resolution service that translates a domain name to an IP address and vice versa.

FIPS Federal Information Processing Standards. email client and groupware applications (such as shared calendars). Hub A simple network device for connecting networks and network hosts. Encryption The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. phrases. lists of file types and replacement rules.Smoothwall Advanced Firewall Administrator’s Guide Dynamic token A device which generates one-time passwords based on a challenge/response procedure. H Hacker A highly proficient computer programmer who seeks to gain unauthorized access to systems without malicious intent. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it. Host A computer connected to a network. E Egress filtering The control of traffic leaving your network. Green In Smoothwall terminology. See NIST. green identifies the protected network. Exchange Server A Microsoft messaging system including mail server. Firewall A combination of hardware and software used to prevent access to private network resources. HTTP (Hypertext Transfer Protocol) The set of rules for transferring files on the World Wide Web. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser. G Gateway A network point that acts as an entrance to another network. Hostname A name used to identify a network host. domains. 343 . Exploit A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service. F Filter A filter is a collection of categories containing URLs. ESP (Encapsulating Security Payload) A protocol within the IPSec protocol suite that provides encryption services for tunnelled data. HTTPS A secure version of HTTP using SSL.

The longer the key length (in bits). Kernel The core part of an operating system that provides services to all other parts the operating system. for example. developed by Cisco Systems. high-capacity site-to-site network that is installed. The key space is the number of bits needed to count every distinct key. IPSec Passthrough A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through. ISP An Internet Service Provider provides Internet connectivity. localized geography. IDS Intrusion Detection System Internet Protocol IPS Intrusion Prevention System IP Address A 32-bit number that identifies each sender and receiver of network data. IPSec (Internet Protocol Security) An internationally recognized VPN protocol suite developed by the Internet Engineering Task Force (IETF). leased and managed by a telephone company. LAN (Local Area Network) is a network between hosts in a similar. the greater the key space. Leased Lines (Or private circuits) A bespoke high-speed. MX Record 344 (Mail eXchange) An entry in a domain name database that specifies an email server to . Key space The name given to the range of possible values for a key. Lockout A method to stop an unauthorized attempt to gain access to a computer. M MAC Address (Media Access Control) An address which is the unique hardware identifier of a NIC. After three attempts. It is chiefly used by networked computers' operating systems to send error messages indicating. For example. a three try limit when entering a password.I ICMP (Internet Control Message Protocol) One of the core protocols of the Internet protocol suite. IPtables The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities. that a requested service is not available or that a host or router could not be reached. the system locks out the user. L2TP (Layer 2 Transport Protocol) A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols. L L2F (Layer 2 Forwarding) A VPN system. the key determines the mapping of plaintext to ciphertext. Given an algorithm. K Key A string of bits used with an algorithm to encrypt and decrypt data.

O OU An organizational unit (OU) is an object used to distinguish different departments. NTP (Network Time Protocol) A protocol for synchronizing a computer's system clock by querying NTP Servers. It is a more effective solution than IPSec Passthrough. used to secure previous VPN communications. Perfect Forward Secrecy A key-establishment protocol. user identities. N NAT-T (Network Address Translation Traversal) A VPN Gateway feature that circumvents IPSec NATing problems. or ciphertext that has been decrypted. The public keys are typically in certificates. Port Forward A firewall rule that routes traffic from a receiving interface and port combination to 345 . PEM (Privacy Enhanced Mail) A popular certificate format. should a key currently in use be compromised. PKI (Public Key Infrastructure) A framework that provides for trusted third party vetting of. Ping A program used to verify that a specific IP address can be seen from another. and vouching for. and binding of public keys to users. sites or teams in your organization. NIC Network Interface Card NIST (National Institute of Standards and Technology) NIST produces security and cryptography related standards and publishes them as FIPS documents. Phase 2 Phase 2 of 2 phase VPN tunnel establishment process. PKCS#12 (Public Key Cryptography Standards # 12) A portable container file format for transporting certificates and private keys. to determine how Advanced Firewall handles web content and downloads to best protect your users and your organization.Smoothwall Advanced Firewall Administrator’s Guide handle a domain name's email. Plaintext Data that has not been encrypted. Port A service connection point on a computer system numerically identified between 0 and 65536. known only to the authorized user(s) and the system. PFS See Perfect Forward Secrecy Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security parameter agreement. Port 80 is the HTTP port. optionally time settings and authentication requirements. P Password A protected/private string of characters. used to authenticate a user as authorized to access a computer or data. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up. Policy Contains content filters and.

This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router. Routing Table A table used to provide directions to other networks and hosts. PuTTY A free Windows / SSH client.another interface and port combination. S Security policy A security policy is a collection of procedures. Proxy An intermediary server that mediates access to a service. Public Key A publicly available encryption key that can decrypt messages encrypted by its owner's private key. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. RAS has been largely superseded by VPNs. Rules In firewall terminology. Private Key A secret encryption key known only by its owner. RIP (Routing Information Protocol) A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are. Private Circuits See Leased Lines. rules are used to determine what traffic is allowed to move from one network endpoint to another. Usually has a dynamic IP address. QOS is a contractual guarantee of uptime and bandwidth. Route A path from one network point to another. A public key can be used to send a private message to the public key owner. R RAS (Remote Access Server) A server which can be attached to a LAN to allow dial-up connectivity from other LANs or individual users. Road Warrior An individual remote network user. PSK (Pre-Shared Key) An authentication mechanism that uses a password exchange and matching process to determine authenticity. Red In Smoothwall. red is used to identify the Unprotected Network (typically the Internet). Q QOS (Quality of Service) In relation to leased lines. typically a travelling worker 'on the road' requiring access to a organization’s network via a laptop. PPP (Point-to-Point Protocol) Used to communicate between two computers via a serial interface. It should 346 . standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. Only the corresponding public key can decrypt messages encrypted using the private key. Protocol A formal specification of a means of computer communication. PPTP (Peer-to-Peer Tunnelling Protocol) A widely used Microsoft tunnelling standard deemed to be relatively insecure.

SSL A cryptographic protocol which provides secure communications on the Internet. Tunneling The transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. usually unsolicited. in practice. typically between two business sites. instant messaging. account and logging policies. and terminating an interactive user session that involves multimedia elements such as video. Server In general. Usually uses a static IP address. and virtual reality. VPNs require minimal client configuration. a computer that provides shared resources to network users. administrator and user rights and define what behavior is and is not permitted. Spam Junk email. voice. SQL Injection A type of exploit whereby hackers are able to execute SQL statements via an Internet browser. online games. Smart card A device which contains the credentials for authentication to any device that is smart card-enabled. Switch An intelligent cable junction device that links networks and network hosts together.Smoothwall Advanced Firewall Administrator’s Guide include password. Commonly used in VOIP applications. U User name / user ID A unique name by which each user is known to the system. SSL VPN A VPN accessed via HTTPS from any browser (theoretically). Syslog A server used by other hosts to remotely record logging information. it becomes impossible to break the system within a meaningful time frame. 347 . Single Sign-On (SSO) The ability to log-in to multiple computers or servers in a single action by entering a single password. SSH (Secure Shell) A command line interface used to securely access a remote computer. Squid A high performance proxy caching server for web clients. T Triple DES (3-DES) Encryption A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES. Site-To-Site A network connection between two LANs. modifying. Strong encryption A term given to describe a cryptographic system that uses a key so long that. Subnet An identifiably separate part of an organization’s network. SIP (Session Initiation Protocol) A protocol for initiating. by whom and under what circumstances.

X X509 An authentication method that uses the exchange of CA issued certificates to guarantee authenticity. such as the global Internet. VPN Gateway An endpoint used to establish. manage and control VPN connections.V VPN (Virtual Private Network) A network connected together via securely encrypted communication tunnels over a public network. 348 .

128. 193 choosing 302 diagnostics 193 mechanisms 301 time-out 193 automatic whitelisting 95 io A B banned users 216 black-list users 95 bond 34 bridge 33 bridging groups 63 rules 59 zones 59 byod 213 C ca 14.Index 1s t Ed n it accessing 4 active directory cache timeout 196 domain 196 extra realm 203 password 196 status 196 tenants 196 username 196 active directory legacy cache timeout 201 discover kerberos realms through dns 202 extra group search roots 202 extra realms 203 extra user search roots 202 kerberos realm 201 netbios domain name 202 password 201 port 202 sam account name 202 server 201 server username 201 status 201 tenants 201 user search root 202 admin 3 admin options 14 administration 14 administration login failures 228 administrative users 14 adsl modem settings 28 advanced 8 AIM 95 aim 95 alert im proxy monitored word 228 alerts 5. 228 administration login failures 228 email 257 email to sms 257 email virus monitor 228 external connection failover 228 firewall notifications 228 hardware failover notification 228 hardware failure alerts 228 health monitor 228 inappropriate words in im 228 intrusion detection system monitor 229 l2tp vpn tunnel status 228 license expiry status 228 output system test messages 228 settings 5 smoothrule violations 228 smoothtunnel vpn certificate monitor 228 system boot (restart) notification 229 system resource monitor 228 system service monitoring 228 traffic statistics monitor 228 update monitoring 229 ups. 15 censoring 95 central management 291 about 291 pre-requirements 291 central management key 293 centrally manage 291 349 . power supply status warning 228 vpn tunnel status 228 application helper 70 ftp 70 h323 passthrough support 70 irc 70 pptp client support 70 archives 13 arp filter 54 arp table size 54 audit 55 authentication 9.

78 editing 79 removing 79 F Ed certs 15 ca 14 child node 293 cluster 291 configuration tests 14 connection methods 20 dial-up modem 30 ethernet 20 ethernet/modem hybrid 20 isdn modem 28 modem 20 connection profiles 20 creating 20 deleting 33 modifying 33 connection tracking 54 connections 19 connectivity 7 console connecting via 17 control 15 control page 4 create 5 csv 295 importing nodes 295 csv files 295 custom categories 11 custom signatures 118 failover 14. 6 email to sms 257 email virus monitor 228 enable arp filter 54 ethernet 20 External 228 external access 14 aliases 7 external connection failover 228 external services 8. 15 group bridging 7. 217 unauthenticated ips 216 H h323 passthrough support 70 hardware 14 failover 280 hardware Failover 279 hardware failover notification 228 hardware failure alerts 228 health monitor 228 . 216 banned users 216 default users 216 mapping 205 network administrators 216 renaming 216. 9. 63 groups 6. 280 failover unit 283 master 281 filtering 7 filters 11 firewall 5. 193 dial-up modem 30 directories 9 directory settings 194 prerequisites 195. 105 documentation 1 DoS 53 dpi 74 E it io n ECN 54 email 5. 70. 279. 99 G gadugadu 95 global 12. 199.Index t D 1s database 224 settings 6 datastore 224 deep packet inspection 74 default interface 20 users 216 denial of service 52 detection policies 114 dhcp 12 custom options 12 leases 12 relay 12 server 12 dhcp ethernet 22 settings 23 diagnostics 14. 6 accessing browser 4 connecting 17 notifications 228 firmware upload 14 ftp 10. 200 dns 11. 105 dynamic 11 proxy 11 proxy service 106 350 static 11.

93 block file transfers 95 blocked response 95 blocked response message 95 censor 95 intercept ssl 95 logging warning 95 logging warning message 95 protocols aim 95 gadugadu 95 icq 95 jabber 95 msn 95 proxy 93. 94 instant messenger proxy enable 94 enabled on interfaces 95 exception local IP addresses 96 interface bond 34 bridge 33 interfaces 7 internal aliases 7 inter-zone security 59 intrusion detection 11 intrusion detection system 11 intrusion system 114 custom policies 117 detection policies 114 policies 114 prevention policies 115 intrusion system monitor 229 ip address 351 . 69 ipsec 5. 6 roadwarriors 15 subnets 15 irc 70 isdn modem 28 settings 29 isp 20 heartbeat 279 hide conversation text 95 hostname 13 https 4 hybrid 20 I J K t 1s n jabber 95 io kerberos keytabs 9 L l2tp roadwarriors 15 l2tp vpn tunnel status 228 layer 7 application control 74 ldap directory bind method 197 cache timeout 198 discover kerberos realms through dns 199 extra group search root 198 extra realms 199 extra user search roots 198 group search roots 198 kerberos realm 197 password 197 port 198 server 197 status 196 tenants 197 user search root 198 username 197 license expiry status 228 licenses 13 local users 203 activity 208 adding 204 configuring 203 deleting 205 editing 205 managing 204 status 203 tenants 203 log retention 224 log settings 6 logs 6 email 245 enable remote syslog 252 remote syslog server 252 it Ed icmp 53 ICMP ping 53 ICMP ping broadcast 53 ICQ 95 ids 6. 11 igmp 53 IGMP packets 53 im 93 hide conversation text 95 proxy 5 im proxy 6 inappropriate words in im 228 information 4 instant messenger 9.Smoothwall Advanced Firewall Administrator’s Guide defining 43 block 7 tools 14 ips 6.

6 ips 6 ipsec 6 system 6 web proxy 6 realtime 5 firewall 5 ipsec 5 portal 5 system 5 traffic graphs 5 reports reports 5 saved 5 scheduled reports 5 settings alert settings 5 database settings 6 groups 6 log settings 6 output settings 6 information 4 logs and reports settings datastore 224 main 4 networking 6. 8 filtering 7 group bridging 7 ip block 7 zone bridging 7 firewall 8 advanced 8 port forwarding 8 source mapping 8 interfaces 7 connectivity 7 external aliases 7 interfaces 7 internal aliases 7 ppp 8 secondaries 8 outgoing 8 external services 8 policies 8 ports 8 routing 7 ports 7 rip 7 . 20 settings 31 modules 13 MSN 95 multicast traffic 53 1s t Ed it N network administrators 216 interface 19 networking 6. 8 source mapping 46 node 297 add 294 child 293 child delete 297 child edit 296 configure child 13 csv 295 delete 297 disable 299 edit 296 import 295 local settings 13 manage 297 monitor 297 parent 292 reboot 299 review 297 update 299 O OpenVPN 162 outbound access port rules 72 source rules 76 outgoing 8 output settings 6 output system test messages 228 P pages central management 13 info 352 alerts 5 alerts 5 custom 5 logs 6 firewall 6 ids 6 im proxy 5.Index retention 252 M io n mac spoof 23 maintenance 13 master 281 message censor 11 custom categories 11 filters 11 time 11 Microsoft Messenger 95 modem 14.

Smoothwall Advanced Firewall Administrator’s Guide 1s t io n whois 14 hardware 14 failover 14 firmware upload 14 modem 14 ups 14 maintenance 13 archives 13 licenses 13 modules 13 scheduler 13 shutdown 13 updates 13 preferences 13 hostname 13 registration options 13 time 13 vpn 15 ca 15 certs 15 control 15 global 15 ipsec roadwarriors 15 ipsec subnets 15 l2tp roadwarriors 15 ssl roadwarriors 15 parent node 292 passwords 3 policies 11. 78 modes 72 preset 72 it Ed sources 7 subnets 7 settings advanced 8 port groups 8 services 8 authentication 9 directories 9 groups 9 kerberos keytabs 9 settings 9 ssl login 9 temporary bans 9 user activity 9 wpa enterprise 9 dhcp dhcp custom options 12 dhcp leases 12 dhcp relay 12 dhcp server 12 global 12 dns 11 dns proxy 11 dynamic dns 11 static dns 11 ids 11 intrusion system detection 11 policies 11 signatures 11 message censor 11 proxies 9 ftp 10 im proxy 9 sip 10 web proxy 9 snmp 11 user portal 9 groups 9 portals 9 user exceptions 9 system administration 14 admin options 14 administrative users 14 external access 14 central management child nodes 13 local node settings 13 overview 13 diagnostics 14 configuration tests 14 diagnostics 14 ip tools 14 traffic analysis 14 353 . 114 intrusion 114 outgoing 8 port forwarding 8 port forwards 67 comment 69 creating 68 criteria 67 destination address 69 destination port 69 editing 69 enabled 69 external ip 68 ips 69 logging 69 protocol 68 removing 69 source IP 69 source port 69 user defined 69 port groups 8 port rules 72 creating 73 deleting 75. 78 editing 75.

96 types 96 site address 18 smoothrule violations 228 smoothtunnel vpn certificate monitor 228 snmp 11. 104 settings 6. 236 access 86 configure 81 delete 86 edit 86 groups 85 policy tester 83 user except 85 portals 9 ports 7. 6 reboot 299 registration options 13 reports 5. 119 dns 11. 9 shutdown 13 signatures 11 sip 10. 46 source rules 76 sources 7 ssh 17 client 17 SSL 162 ssl login 9 accessing the page 210 customizing 209 exceptions 211 ssl roadwarriors 15 static ethernet settings 22 subnets 7 it Ed viewing 75 portal 5. 105 dns proxy 106 dynamic dns 107 ids 11 intrusion system 114 message censor 11 portal 9 rip 40 sip 96 snmp 11. 219 custom 5 database 224 reports 5 scheduled 5 reverse proxy 6. 104 snmp 11 source mapping 8. 8 ppp 8 ppp over ethernet settings 25 ppp profile creating 31 pptp client support 70 pptp over ethernet settings 26 preferences 13 prevention policies 115 primary dns 20 proxies 9 dns 106 sip 96 proxy ftp 99 . 9. 127. 10 violations alert 228 rip 7 routing 7 rules dynamic host 107 354 scheduled reports 5 scheduler 13 secondaries 8 secondary dns 20 selective ACK 54 services authentication 9. 193 dhcp 12.Index external access 273 external service 78 group bridging 63 internal alias 47 ip blocking 51 port 43 port forward 67 source 76 source mapping 46 subnet 39 zone bridging 59 S t n io R 1s radius action on login failure 200 cache timeout 200 identifying IP address 200 obtain groups from radius 200 port 200 secret 199 server 199 status 199 tenants 199 realtime 5 email 5.

127 authentication 128 psk 129 x509 129 355 .Smoothwall Advanced Firewall Administrator’s Guide vpn tunnel status 228 SYN backlog queue 54 SYN cookies 54 SYN+FIN packets 53 system 5. 208 identity 301 user exceptions 9 users banned 216 default 216 local 204 network administrators 216 temporary ban 206 unauthenticated IPs 216 V virtual lans 36 vlan 36 voip 96 vpn 15. 277 ups. 59 Ed TCP timestamps 54 telephony settings 32 temporary ban 206 temporary bans 9 tenants 275 time 13 time out 193 time slots 11 time-out 302 traffic analysis 14 graphs 5 traffic statistics monitor 228 training 1 tutorial vpn 178 zone bridging 61 U 1s t unauthenticated ips 216 unknown entity 18 updates 13 ups 14. 6 system boot (restart) notification 229 system resource monitor 228 system service monitoring 228 W web proxy 6. power supply status warning 228 url test tool 83 user activity 9. 9 white-list users 95 whois 14 window scaling 54 wpa enterprise 9. 213 T Y yahoo 95 Z it io n zone bridge narrow 59 rule create 59 settings 60 tutorial 61 wide 59 zone bridging 7.

1s t Ed it io n Index 356 .

Smoothwall Advanced Firewall Administrator’s Guide 357 .